On September 15, 2023, the Personal Data Protection Commission (PDPC) published its decision in Case No. DP-2212-C0526, in which it issued a fine of SGD 9,000 (approx. $6,600) to Century Evergreen Private Limited for violations of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), following a security incident.

Background to the decision

In particular, the PDPC outlined that images of identification documents (including the National Registration Identity Card) submitted by jobseekers to Century Evergreen were publicly accessible on Century Evergreen's website.

Findings of the PDPC

The PDPC found that Century Evergreen had a vulnerability on its website, which allowed manipulation of the URL, and that such vulnerability had existed from the time the website was launched on November 9, 2015. As a result of this vulnerability, the PDPC noted that 96,889 images of identification documents belonging to 23,940 individuals were downloaded from Century Evergreen's website from December 10 to 12, 2022. Accordingly, the PDPC determined that Century Evergreen was in violation of Article 24(a) of the PDPA owing to the failure to include any security requirements to protect personal data in its contract with the vendor who first developed and subsequently maintained the website. 

Outcomes

In light of the above, the PDPC imposed a fine of SGD 9,000 (approx. $6,600) on Century Evergreen.

You can read the press release here and the decision here.