In December 2021, Eatigo International Pte. Ltd., an online restaurant reservation platform, was fined SGD 30,000 for breaching the Personal Data Protection Act (PDPA). The incident involved unauthorized access to personal data, which highlighted the importance of organizations ensuring that personal data is safeguarded. In this blog post, we will delve into the details of the Eatigo International PDPA breach, the penalty imposed by the Personal Data Protection Commission (PDPC), and the lessons that organizations can learn from this incident to improve their own PDPA compliance practices.
Eatigo International's PDPA Breach
The PDPA breach occurred when an Eatigo International employee accessed the personal data of over 2,000 users without authorization. The personal data involved included names, contact details, and reservation histories. The breach was discovered during an internal audit conducted by Eatigo International, and the company reported the breach to the PDPC in accordance with the mandatory breach notification requirements under the PDPA.
Upon investigation, the PDPC found that Eatigo International had failed to implement adequate security measures to prevent unauthorized access to personal data. The PDPC also found that Eatigo International had failed to conduct regular checks and audits to ensure that employees were only accessing personal data on a need-to-know basis. As a result, Eatigo International was fined SGD 30,000 for non-compliance with the PDPA.
PDPA Penalty for Non-Compliance
The PDPA imposes significant obligations on organizations that handle personal data. Failure to comply with these obligations can result in penalties and damage to an organization's reputation. In the case of Eatigo International, the company was fined SGD 30,000 for failing to implement adequate security measures and conducting regular checks and audits.
Under the PDPA, organizations can be fined up to SGD 1 million for serious breaches of the Act, such as failure to obtain consent for the collection, use, or disclosure of personal data, or failure to implement adequate security measures to protect personal data. The PDPC also has the power to issue directions to organizations to cease or rectify non-compliant practices.
Lessons to Learn from Eatigo International's PDPA Breach
The Eatigo International PDPA breach and subsequent penalty provide several valuable lessons for organizations to improve their own PDPA compliance practices:
Implement access controls: Organizations should implement access controls to limit employee access to personal data on a need-to-know basis. This can include implementing role-based access controls, two-factor authentication, and monitoring of employee access to personal data.
Conduct regular checks and audits: Organizations should conduct regular checks and audits to ensure that personal data is only accessed on a need-to-know basis and that adequate security measures are in place to prevent unauthorized access. This can include conducting regular penetration testing, vulnerability scanning, and security assessments.
Train employees: Employees should be trained on their obligations under the PDPA and how to handle personal data securely. This includes implementing secure password policies, ensuring that devices are encrypted, and reporting suspicious activity.
In addition to the above, organizations should also appoint a Data Protection Officer (DPO) to oversee PDPA compliance and ensure that adequate measures are in place to safeguard personal data. The DPO should also be responsible for conducting regular checks and audits, training employees on their obligations under the PDPA,and reporting any breaches to the PDPC in a timely manner.
The Eatigo International PDPA breach and subsequent penalty serve as a reminder of the importance of organizations ensuring that personal data is safeguarded. Non-compliance with the PDPA can result in significant penalties and damage to an organization's reputation. Organizations should take steps to implement access controls, conduct regular checks and audits, and train employees on their obligations under the PDPA to improve their own PDPA compliance practices. By doing so, organizations can ensure that they are adequately protecting personal data and avoiding potential penalties and reputational damage.
Channel NewsAsia. (2021, December 17). Eatigo fined S$30,000 for personal data breach affecting over 2,000 users. Retrieved from https://www.channelnewsasia.com/singapore/eatigo-personal-data-breach-fine-pdpc-2411841
Personal Data Protection Commission. (n.d.). The Personal Data Protection Act. Retrieved from https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act
Wong, J. (2021, December 17). Online restaurant booking platform Eatigo fined S$30,000 for data breach affecting over 2,000 users. Today Online. Retrieved from https://www.todayonline.com/singapore/online-restaurant-booking-platform-eatigo-fined-s30000-data-breach-affecting-over-2000