SINGAPORE – Non-profit nature group Nature Society (Singapore) has been fined $14,000 for failing to put in place reasonable measures to protect personal data and other breaches of the Personal Data Protection Act (PDPA).
In a written decision published on Jan 14, Singapore’s privacy watchdog, the Personal Data Protection Commission (PDPC), noted that the organisation did not have written policies and practices necessary to comply with data privacy laws and did not appoint a data protection officer.
The personal data of 5,131 members and non-members who had created membership and user accounts on Nature Society’s website were found to be affected in an incident which surfaced on Nov 6, 2020.
An article had reported then about hacked databases being made available for download on several hacking forums and Telegram channels, with the nature group named as one of the affected organisations.
The datasets affected comprised of information including names, encrypted passwords, e-mail addresses, telephone numbers and birth dates.
Following the breach, Nature Society engaged two IT professionals to carry out an investigation and analysis of its website, which revealed vulnerabilities in its website and suspicious activities prior to the attack.
It took several measures to address this, including removing all members’ and users’ data from the website database, notifying affected individuals, developing and implementing a personal data policy and engaging vendors to develop a new website to improve security.
The PDPC highlighted several breaches in its judgment, including how Nature Society did not designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA.
The responsibilities of a data protection officer include handling and managing personal data queries and complaints, and ensuring compliance with the PDPA.
Nature Society also admitted that it did not develop and implement any data protection policy prior to the incident.
In its decision, the PDPC noted: “In this regard, it is important to reiterate that at the very basic level, an overarching personal data protection policy has to be developed and implemented to ensure a consistent minimum data protection standard across an organisation’s practices, procedures and activities.”
In arriving at its decision, the commission took into consideration Nature Society’s upfront voluntary admission of liability, which significantly reduced the time and resources for investigations, the fact that it is a non-profit, registered society, and its prompt remedial actions.