F&B operator Spize fined SG$20k for personal data breach

F&B operator Spize has been fined SG$20,000 by the Personal Data Protection Commission (PDPC) for failing to appoint a data protection officer and not making reasonable security arrangements to prevent the unauthorised disclosure of customer’s personal data, among other breaches.On 12 August 2017, PDPC was alerted by a member of the public that approximately 148 customers’ personal data – specifically names, contact numbers, email addresses and residential addresses – was publicly accessible on Spize’s online portal. Upon receiving news of the incident two days after, Spize requested Novadine, a US-based firm that assists companies in developing and hosting their online presence, to rectify the weakness and subsequently disabled the link. According to PDPC’s report, the link has not been publicly accessible since 16 August 2017.In a case filing seen by Marketing, investigations by the PDPC revealed that Spize had failed to put in place or ensure the adoption of reasonable security arrangements to prevent data breaches from occurring. Based on Spize’s responses to the queries during investigations, PDPC said it was “apparent” that Spize and its managing director, whose account was used to enable the Link, did not know about the existence of the link or the consequences of enabling it.In addition, PDPC also stated that Spize lacked knowledge of the security arrangements that were in place within the Novadine system to protect personal data and had to rely on the answers provided by Novadine in describing how the site and online ordering system worked. The Spize management was also unable to describe its arrangements with Novadine to process, protect and manage the personal data.Moreover, Spize mentioned during investigations that there was no password policy in place at the time of the incident. A mandatory password requirement was also not set when Novadine first created the accounts, and the MD’s administrator account password was also not changed regularly.PDPC also noted that Spize only appointed its data protection officer on 21 August 2017, one week after the PDPC notified Spize of the weakness in its site. The commissioner has directed Spize to put in place a data protection policy and internal guidelines to comply with the provisions of the PDPA and, in particular, to prevent future recurrences of the breaches that had occurred in this case.In addition, Spize has to train all employees handling personal data on the obligations under the PDPA and also put in place proper access controls for the management of administrators’ accounts within its food order delivery and catering services website and online ordering system.In the document, Spize said the incident was “unintentional and was a result of human error”, adding that the financial penalty is “a hefty price to pay” given the food poisoning incident last year in November. Spize’s River Valley outlet also had its license suspended after 49 cases of gastroenteritis was reported. According to the National Environment Agency (NEA), Spize has been instructed to rectify hygiene lapses as well as oversight in food preparation processes, among others. Spize currently has three outlets operating at Bedok, Rifle Range and Siglap.