Launched in May last year, Zero1 is Singapore’s third mobile virtual network operator (MVNO), after Circles.Life and Zero Mobile.
The Personal Data Protection Commission (PDPC) announced on its website today that Zero1 has breached privacy laws, making it the first telco to do so.
It was charged a $4,000 fine last month for failing to secure customers’ personal details.
According to PDPC, Zero1’s courier partner XDel Singapore was also fined $7,000 for causing the disclosure.
It was contracted by Zero1 to deliver SIM cards to subscribers and the latter wrongfully accessed the information of subscribers and authorised recipients.
Zero1 subscribers would register for the mobile services online, furnishing details like their names, NRIC numbers, delivery addresses and contact numbers.
This same set of data is also given by an authorised recipient to collect the delivery on behalf of the subscriber.
These information are logged on to a delivery notification site developed by XDel, which allows the subscribers to monitor the status of the SIM card delivery.
According to PDPC, the unauthorised access of these information was discovered after a post on an online forum warned other users about the issue.
XDel admitted to the PDPC that it had failed to adequately test the system’s safety.
PDPC said the fault also lies on Zero1 for failing to make reasonable security arrangements.
The personal data of the Zero1 customers and the authorised recipients originated from Zero1 and was under Zero1’s possession and/or control.
For this reason, Zero1 had the obligation under section 24 of the PDPA to protect the personal data of its customers and that of the authorised recipients.
– Yeong Zee Kin, PDPC deputy commissioner
Under Section 24 of the Personal Data Protection Act, firms are required to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.
Featured Image Credit: MustShareNews / Zero1
