The Ninja Sensei’s Logbook: Storing data in an outdated server without checking if it contains personal data is a disaster!
Storing personal data on an outdated server is a recipe for disaster, as OrangeTee & Tie painfully discovered when the PDPC ordered them to pay a substantial financial penalty of S$37,000 due to a breach caused by their outdated server.
Note that the outcome could have been different if the data stored did not contain any personal information. This is because the PDPA is applicable only when personal data is compromised, which refers to data that can potentially identify an individual.
For Secur Solutions Group, the data protection lesson was just as hard.
Secur has been working with Health Sciences Authority (HSA) since 2013 to develop and maintain IT systems, including the Queue Management Systems (QMS) for blood donors. HSA provided Secur with files for testing and developing the QMS, and this was stored by Secur in an unpatched server, not anticipating that it contains personal data.
The said server was easily hacked by bad actors. Since it contained personal data, the PDPC imposed a whopping fine of S$120,000. This could have been prevented if Secur had practised due diligence in handling the data provided by the HSA, checking if it contained personal data.
This is because if it did, Secur would have been more careful in handling the personal data it received from HSA.
The key takeaway that we can get from both cases is that complacency has no room when it comes to handling personal data. Organisations must always ensure that they check the data they manage to ensure that proper security measures are in place.
P.S. Got questions or do you need help with your cybersecurity and data protection compliance journey? Don’t hesitate to reach out to your friendly cybersecurity and data protection experts at Privacy Ninja. We are always a text/call or email away!
📱 WhatsApp: +65 8750 4250 | +65 6018 6356
📧 email: firstname.lastname@example.org