Things are heating up for Singapore-based F&B operator Spize again.
In December last year, it caused a mass food poisoning incident which led to the closure of its River Valley outlet.
Last Friday (5 July), Spize was fined $20,000 for leaking its customers’ personal data, such as their names, contact numbers, as well as e-mail and residential addresses.
A total of 148 customers were affected, with their data disclosed on Spize’s online ordering portal on or around 9 February 2017.
Spize was informed about the leak two days later, and requested its software provider Novadine to fix the issue.
However, the Personal Data Protection Commission (PDPC) was only notified about the leak on 12 August 2017.
The cause of the leak was traced to a user logging onto the managing director’s administrator account, who enabled the link containing the personal information to be made public.
The link was meant to be for internal use, but was made publicly accessible instead.
According to a PDPC report, the link has not been publicly accessible since 16 August 2017.
Spize Lacks Data Protection Policies, Knowledge
The report also said that Spize lacked knowledge of the ordering system and security arrangements to protect its personal data, and had to depend on external parties (ie. Novadine) to handle its data.
Deputy PDPC Commissioner Yeong Zee Kin noted that the company had no password policy when the leak happened, and the password for the managing director’s administrator account was shared among several people at the time of the incident.
This resulted in Spize not being able to identify the employee responsible for enabling public access to the link.
Spize also did not have any data protection policies, internal guidelines or accompanying terms and conditions in place when the incident took place, which are required under PDPA regulations.
The company failed to make available on request information about its implemented policies and practices on how Novadine was to process personal data on its behalf, and also did not consider its obligations when transferring personal data outside Singapore.
The deputy commissioner added that the decision took into consideration mitigating factors, such as how Spize has taken steps to implement a customised data protection framework, conduct data protection training for its employees, and put in place proper access controls within the system.
The firm has been directed to put in place a data protection policy and internal guidelines to comply with the provisions of the PDPA and train all employees handling personal data on the obligations of the Act.
In addition, Spize is required to put in place proper access controls for administrator accounts within its ordering systems.
Featured Image Credit: Google Map