Singapore: PDPC issues SGD 9,000 fine to Century Evergreen following data breach
On September 15, 2023, the Personal Data Protection Commission (PDPC) published its decision in Case No. DP-2212-C0526, in which it issued a fine of SGD 9,000 (approx. $6,600) to Century Evergreen Private Limited for violations of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), following a security incident.
Background to the decision
In particular, the PDPC outlined that images of identification documents (including the National Registration Identity Card) submitted by jobseekers to Century Evergreen were publicly accessible on Century Evergreen's website.
Findings of the PDPC
The PDPC found that Century Evergreen had a vulnerability on its website, which allowed manipulation of the URL, and that such vulnerability had existed from the time the website was launched on November 9, 2015. As a result of this vulnerability, the PDPC noted that 96,889 images of identification documents belonging to 23,940 individuals were downloaded from Century Evergreen's website from December 10 to 12, 2022. Accordingly, the PDPC determined that Century Evergreen was in violation of Article 24(a) of the PDPA owing to the failure to include any security requirements to protect personal data in its contract with the vendor who first developed and subsequently maintained the website.
In light of the above, the PDPC imposed a fine of SGD 9,000 (approx. $6,600) on Century Evergreen.