Singapore’s Personal Data Commission has imposed a $10,000 penalty on Propnex Realty
for failing to make reasonable security arrangements to prevent unauthorized access of individuals’ personal data stored online.
On December 28, 2015, the Personal Data Protection Commission (“Commission”) received a complaint from a complainant in relation to the publication online of the Propnex Realty’s internal Do Not Call list containing the personal data of 1765 individuals, including the complainant and her sisters. The list could be accessed directly through the url with no authentication required, or via a Google search for an individual’s name or “do not call list.”
The PropNex DNC List included the following personal data:
- mobile number and/or landline;
- full or partial residential address;
- date of complaint by a particular individual;
- email address; and
- internal instructions by the Organization to its agents with regard to the individuals.
You’ll likely want to read the Commission’s findings and comments on the firm’s data security and why it was found inadequate.
Propnex was also directed to cease the storage of documents containing personal data via its system until a security scan had been conducted.
You can access the full enforcement notice for Case Number: DP-1512-A613 here (pdf).