2019 Is A ‘Fine’ Year: PDPC Has Fined S’pore Firms A Record $1.29M For Data Breaches

We’re about three quarters through the year, but 2019 has already seen the highest amount of fines for data privacy breaches than any other year in Singapore.

Up till mid-September 2019, the Personal Data Protection Commission (PDPC) has issued over $1.29 million in fines to companies that breached the Personal Data Protection Act (PDPA).

To put things into perspective, this is more than the collective amount of fines meted out across the past three years.

The spike in fines is most notably attributed to the SingHealth cyberattack in which the data of 1.5 million patients was stolen, including Prime Minister Lee Hsien Loong’s.

While the breach was detected and reported to the authorities last year, PDPC issued its decision in January 2019.

singhealth fined for data breach singapore pdpa
Screenshot from PDPC website

Integrated Health Information Systems (IHiS) was fined $750,000 and SingHealth was fined $250,000—a total of $1 million together.

This incident contributed the main bulk of the increase in fines this year, which reflects how severe its impact had been.

Along with IHiS and SingHealth, a total of 29 entities were fined or have received warnings from PDPC in 2019 so far.

The largest fines after IHiS and SingHealth were $54,000 and $33,000 doled out to Horizon Fast Ferry and DS Human Resource respectively.

data breach singapore pdpc pdpa
Some fines meted out for data breaches in 2019, from PDPC website

Fines for data breaches also landed on other Singapore firms this year including GrabCar, Genki Sushi, AIA and COURTS.

In 2018, GrabCar detected that it had mistakenly leaked more than 120,000 customers’ names and mobile numbers as a result of an “email mismatch”.

The firm then said it promptly notified PDPC and immediately began to “put in place more rigorous data validation and checks”.

More recently, Genki Sushi suffered a ransomware attack that compromised the sensitive data of 360 current and former employees, such as their NRIC numbers, mobile numbers and bank account information.

Investigations into their leak showed that the popular sushi chain did not appropriately set up and configure a firewall to protect their server from external threats.

Both GrabCar and Genki Sushi were each fined $16,000.

The rise in fines for data breaches could indicate that hackers and ransomware are getting more advanced, making attacks more frequent.

On the other hand, however, it may also reflect more awareness and alertness from companies and the public to detect and report cyber attacks, as PDPC only enforces penalties based on complaints they receive.

Cybersecurity will probably continue to be a big issue in coming years, so it remains important for organisations to prevent lapses in their processes and beef up their defence capabilities against such cyber attacks.

Featured Image Credit: Synergy Projects Development / Autofreaks / Titas Travels

Subscribe to our newsletter

Stay updated with Vulcan Post weekly curated news and updates.


Vulcan Post aims to be the knowledge hub of Singapore and Malaysia.

© 2021 GRVTY Media Pte. Ltd.
(UEN 201431998C.)

Vulcan Post aims to be the knowledge hub of Singapore and Malaysia.

© 2021 GRVTY Media Pte. Ltd.
(UEN 201431998C.)