The Personal Data Protection Commission (PDPC) has imposed a penalty of SGD 74,000 on Commeasure, a local firm which operates the website RedDoorz.
However, the amount is much lower than the combined SGD 1 million fine imposed on SingHealth and Integrated Health Information Systems for the 2018 data breach which affected 1.5 million people, The Straits Times newspaper reported.
According to PDPC, the amount of the fine was finalised taking into consideration the hardship on the hospitality sector caused by the COVID-19 pandemic.
“In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic,” the PDPC said in its judgment issued last Thursday.
“This is the largest data breach that has occurred since the Personal Data Protection Act came into effect,” it said.
Commeasure found out about the breach on September 19 last year after an American cyber-security firm alerted the company.
RedDoorz said most of the compromised data came from the booking platform’s largest market, Indonesia. The company’s customers are all from South-east Asia. It is understood that about 9,000 of the affected people are from Singapore.
The compromised data included customers’ name, contact number, e-mail address, date of birth, encrypted password to their RedDoorz account and booking information. The hackers did not access or download customers’ masked credit card numbers.
The stolen data was put up for sale on a hacker forum before it was taken down, according to Singapore’s Business Times report last year.
Commeasure informed the affected customers about the data breach on September 26 last year and advised them to change their RedDoorz account passwords. The PDPC was notified on September 25.