SINGAPORE – Non-profit nature group Nature Society (Singapore) has been fined $14,000 for failing to place in place affordable measures to guard private information and different breaches of the Private Information Safety Act (PDPA).
In a written determination printed on Jan 14, Singapore’s privateness watchdog, the Private Information Safety Fee (PDPC), famous that the organisation didn’t have written insurance policies and practices essential to adjust to information privateness legal guidelines and didn’t appoint an information safety officer.
The non-public information of 5,131 members and non-members who had created membership and consumer accounts on Nature Society’s web site had been discovered to be affected in an incident which surfaced on Nov 6, 2020.
An article had reported then about hacked databases being made out there for obtain on a number of hacking boards and Telegram channels, with the character group named as one of many affected organisations.
The datasets affected comprised of data together with names, encrypted passwords, e-mail addresses, phone numbers and delivery dates.
Following the breach, Nature Society engaged two IT professionals to hold out an investigation and evaluation of its web site, which revealed vulnerabilities in its web site and suspicious actions previous to the assault.
It took a number of measures to deal with this, together with eradicating all members’ and customers’ information from the web site database, notifying affected people, growing and implementing a private information coverage and interesting distributors to develop a brand new web site to enhance safety.
The PDPC highlighted a number of breaches in its judgment, together with how Nature Society didn’t designate a number of people to be accountable for guaranteeing that the organisation complies with the PDPA.
The tasks of an information safety officer embody dealing with and managing private information queries and complaints, and guaranteeing compliance with the PDPA.
Nature Society additionally admitted that it didn’t develop and implement any information safety coverage previous to the incident.
In its determination, the PDPC famous: “On this regard, you will need to reiterate that on the very fundamental degree, an overarching private information safety coverage must be developed and applied to make sure a constant minimal information safety customary throughout an organisation’s practices, procedures and actions.”
In arriving at its determination, the fee took into consideration Nature Society’s upfront voluntary admission of legal responsibility, which considerably lowered the time and assets for investigations, the truth that it’s a non-profit, registered society, and its immediate remedial actions.