Genki Sushi SG among 5 companies fined by PDPC over personal data breach

Genki Sushi Singapore has been fined SG$16,000 for failing to put in place reasonable security arrangements to protect personal data of its employees, which resulted in a ransomware attack.

According to a Personal Data Protection Commission (PDPC) case filing seen by Marketing, the personal data of approximately 360 current and former employees of Genki Sushi was compromised. Exposed data include name, NRIC number/Foreign ID, bank account information, salary details, gender, marital status as well as date of hire and date of birth. Other personal details such as passport number, address and contact numbers were also breached for some employees.

The issue was first brought to light on 30 August 2018, when Genki’s IT personnel discovered that the database containing employees’ details and company financials was unresponsive. Following internal investigations, the company confirmed a ransomware attack, resulting in majority of its files encrypted and contents inaccessible. A ransom payment was demanded by the hacker in exchange for the decryption key.

Upon discovery of the incident, Genki Sushi isolated the server from its larger IT network, performed anti-virus scans on each computer in the company’s office and restaurants, attempted to remove the ransomware and decrypt the infected data files using third party security tools, and notified its affected employees of the incident. In this regard, all full-time employees and most part-time employees were notified by 7 September 2018, while former employees were unable to be contacted due to their contact details being encrypted by the ransomware.

PDPC attributed failure to put in an “all-round” security of its system which contained sensitive personal data of its employees, lack of configuration for its firewall and failure to conduct any penetration tests of its server as reasons to breach section 24 of the Personal Data Protection Act (PDPA).

CDP and Toppan Security Printing

Among the list of imposed financials penalties by PDPC include The Central Depository (CDP) and Toppan Security Printing for unauthorised disclosure of CDP’s account holders’ personal data. Figures of SG$24,000 and SG$18,000 were imposed on CDP and Toppan Security Printing respectively for  printing account holders’ personal information wrongly in the notification letters of other account holders and sending it out.

PDPC’s case filing said the incident occurred around 27 June 2017 and the exposed data included the name and/or CDP securities account number. Toppan Security Printing was engaged by CDP to carry out secure printing and dispatch of documents, including notification letters of CDP’s customers. Both CDP and Toppan had the obligation to ensure that the printing system and process would protect the personal data it was handling and processing. As part of this, PDPC said there needed to be proper testing of the system and implementation of exception handling and checks to prevent errors from compromising the security of the personal data.

[Digital Marketing Asia Conference 2019 in Singapore is back! Join us on 8-9 October as we hear from experienced practitioners and thought-leaders on how they are managing complex digital transitions and reimagining new ways for their marketing to become more customer focused, agile and interactive. Check out the agenda and book your seats today.]

Horizon Fast Ferry

Meanwhile, Singapore-based ferry operator Horizon Fast Ferry has been imposed a financial penalty of SG$54,000 for the lack of a data protection officer (DPO), failing to develop and implement data protection policies and practices, and not putting in place reasonable security arrangements to protect its customers’ personal data.

Around May 2017, Horizon engaged an independent contractor on an informal basis to revamp its booking site, specifically to improve the user interface and user experience, such as when purchasing ferry tickets online. The parties did not enter into any written contract for the revamping of the booking site and all instructions and requirements were conveyed either verbally or through WhatsApp text messages.

Horizon was reportedly unaware that its contractor replicated the auto-retrieval and auto-population feature (which was only meant to be used in the internal counter check-in system) in the booking site as part of the website revamp. As such, the revamped system would automatically retrieve and populate the remaining fields in the booking form with the personal data set associated with the passenger’s passport number.

According to PDPC, Horizon failed to conduct proper user acceptance tests before launching the revamped booking site and a total of 444,000 personal data sets were stored in the database. PDPC said that Horizon demonstrated a blatant disregard for its data protection obligations and did not designate any individual to be responsible for ensuring that the company complies with the PDPA.


Directions, including a financial penalty of SG$5,000 was imposed on tuition agency Championtutor for not having a data protection officer (DPO) or any policies or practices in place to comply with the PDPA.

On 31 October 2017, the Personal Data Protection Commission received a complaint from a former tutor with Championtutor, stating that a Google search led to a URL link to the agency’s tutor list. The list contained name, contact number and email address of a total of 4,899 individuals. In the course of investigations, PDPC also found that Championtutor had not appointed any DPO and had failed to develop and put in place any internal data protection policies.

The company did not employ full-time staff but employed part-time home-based tuition coordinators to liaise with tutors and students, process e-invoices and follow up on payment. These part-time coordinators had access to personal data of the tutors and students in the course of their work. However, Championtutor did not have any internal data protection policies which specify the rules and procedures on the collection, use and disclosure of personal data.

The decision and directions of the penalty were reached after taking into account that the company cooperated with investigations, PDPC said.

[Digital Marketing Asia Conference 2019 in Singapore is back! Join us on 8-9 October as we hear from experienced practitioners and thought-leaders on how they are managing complex digital transitions and reimagining new ways for their marketing to become more customer focused, agile and interactive. Check out the agenda and book your seats today.]

Read also:
Sephora’s latest cyber attack: Why PR needs to be in the conversation early on
Sephora hit with a data breach across SEA and New Zealand
AIA Singapore slapped with SG$10k fine for data breach
F&B operator Spize fined SG$20k for personal data breach
PR in the era of cyber attacks: Winning back public trust after a data breach

Read More News

in China by

SK-II encourages women to dream again

The luxury skincare brand has kicked off a series of guerrilla events in 10 major cities on the same day, including Hong Kong, Seo..