Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Singapore: PDPC fines RedMart SGD 72,000 for failure to ensure security controls
The Personal Data Protection Commission ('PDPC') published, on 19 December 2022, its decision in Case No. DP-2010-B7266, in which it imposed a fine of SGD 72,000 (approx. €50,112) on RedMart Pte., Ltd. for violation of Section 24 of the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA'), following a security incident.
Background to the decision
In particular, the PDPC highlighted that it had received notification of the sale of a database of RedMart customers on an online forum, on 29 October 2020. Notably, the PDPC outlined that RedMart was acquired by Lazada Singapore Pte. Ltd. in 2016, that the migration of RedMart's system to Lazada's was not completed, and that RedMArt failed to encrypt the database or implement any password authentication requirement to access the new database.
Findings of the PDPC
Following its investigation, the PDPC found that in September 2020 an unidentified threat actor gained unauthorised access to the RedMart operations teams database, and proceeded to exfiltrate the affected database. On this, the PDPC provided that the database contained the information of around 898,791 individuals, with the types of personal information including, among others, name, email address, partial credit card information, and hashed passwords belonging to RedMart customer accounts.
Accordingly, the PDPC provided that there is no one size fits all approach regarding reasonable security steps or arrangements regarding personal data, and that organisations must take into account the nature of personal data, the form in which it is collected, and the possible impact on persons if an unauthorised person obtained, modified, or disposed of the personal data. Furthemore, considering the high volume of personal data and failure to implement reasonable access controls on employees' GitHub accounts in particular, the PDPC found RedMart to have failed to implement reasonable security arrangements, thereby violating Section 24 of the PDPA.
Outcomes
As a result, the PDPC imposed the aforementioned fine for violation of Section 24 of the PDPA, taking into account RedMart's admission of breach and the remedial measures subsequently taken by RedMart.