A financial penalty of $15,000 was imposed on Orchard Turn Developments for failing to make reasonable security arrangements to protect personal data of its members that was stored on its server. Orchard Turn Developments was also issued directions to patch all system vulnerabilities already identified, conduct a penetration test and rectify new weaknesses identified, as well as implement a password management policy and conduct training for staff on password management best practices.
From the decision:
In this case, the Complainant received two unauthorised emails, purportedly sent by the Organisation promoting “free” ION+ Reward points. Investigations discovered that an unknown perpetrator had gained unauthorised access to a server that held personal data of the Organisation’s members. The perpetrator then used an application on the compromised server to send the unauthorised emails to the Organisation’s members using their personal data that was held in the server. This data breach incident raised the question of whether the Organisation had met its Protection Obligation under the Personal Data Protection Act 2012 (“PDPA”) to make reasonable security arrangements to sufficiently protect personal data held on the server.
Read more about the decision on the Commissioner’s site.