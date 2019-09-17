Most data leaks were not due to hacking, but companies failing to meet their obligations, a report by the the Data Protection Excellence (DPEX) Centre found. Unsplash

26 companies in S ingapore have been fined a total of S$1.28 million for breaching the Personal Data Protection Act (PDPA) this year.

This is a record high since the PDPA came into effect in 2016.

The figures are only for January to August, and are expected to be even higher by December.

The top 3 industries with PDPA breaches are finance, retail, and non-profits.

2019 isn’t even over, but a record number of companies here have already been slapped with fines for being careless with consumers’ personal data.

Even worse, more are expected to do the same before the year ends, according to findings from the Data Protection Excellence (DPEX) Centre published on Tuesday (Sept 17).

The number of fines or warnings issued for personal data protection breaches as of August this year was 26, compared to 23 in 2018, 18 in 2017, and 23 in 2016, DPEX’s report said.

It added that the total number of organisations slapped with fines or warnings for 2019 was “expected to continue to rise” until the year end.

Data Protection Excellence Centre

In all, S$1.28 million in fines was issued this year by the Personal Data Protection Commission (PDPC) – over three times the total combined fines between 2016 and 2018.

A major reason was the S$1 million penalty slapped on Singhealth and IHiS for a disastrous data breach last year that compromised the medical records of millions of Singaporeans, including Prime Minister Lee Hsien Loong.

Data Protection Excellence Centre

Nevertheless, the report said that even after removing the Singhealth fine, the remaining sum of S$280,000 was still double that of last year’s S$141,500 total.

Among personal data breach cases, 80 per cent of data leaks had occurred due to a breach of protection obligations, and not because of cyber attacks like hacking, DPEX head Kevin Shepherdson said.

Under the PDPC protection obligation, companies must make reasonable security arrangements to ensure consumers’ personal data is not leaked, including hiring cybersecurity personnel and responding quickly to data breaches.

Two other rules organisations commonly broke were not obtaining consent from consumers to collect data, and not having any data protection policies, Shepherdson added.

The DPEX report found that untrained staff were the top cause of breaches, followed by a lack of data policies and inadequate digital security.

Other factors included setting weak passwords, sending information to the wrong recipient, and processing errors.

The top three industries where personal data breaches happened most often were finance, retail, and non-profit organisations.

Data Protection Excellence Centre

Together, these accounted for almost 40 per cent of all cases since 2016.

Rounding out the top five culprits were the professional services industry (including financial advisories and consultancies) and the food and beverage industry, the report said.

