PDPC fines ION Orchard owners SG$15,000 for customer data breach

Singapore’s Personal Data Protection Commission (PDPC) has fined Orchard Turn Developments SG$15,000 for a customer data breach which occurred in December 2015. This is for the latter's ION Orchard shopping mall (ION).

This follows a hacking incident which took place regarding ION, which saw two unauthorised emails being sent by the organisation promoting “free” ION+ Reward points. According to the PDPC, investigations showed that an unknown perpetrator had gained unauthorised access to a server that held personal data of the organisation’s members.

The hacker used an application on the compromised server to send the unauthorised emails to the organisation’s members using personal data that was held in the server. According to an ION spokesperson in 2015, an in-house tech specialist had discovered the security breach prompting an advisory email to loyalty members.  ION acted swiftly and began emailing its members on 27 December 2015 alerting them to the unauthorised email which offered download codes for “a free giveaway”.

PDPC has instructed Orchard Turn Developments to fix all system vulnerabilities identified as well as test its loyalty management system to solve weaknesses. Orchard Turn Developments has also been instructed to implement a password management policy and conduct training for staff on password management best practices. This is on top of its financial penalty of SG$15,000.