The breach occurred in October 2023, when the names and contact details of MBS patrons were illegally accessed and later offered for sale on the dark web. PDPC said the leaked data could be further exploited in phishing scams or identity theft.

According to PDPC’s findings, the breach stemmed from a software migration exercise in March 2023, during which MBS failed to apply proper security policies when transferring data from its old system to a new one. One of the identifiers linked to the ArtScience Friends webpage was omitted during the process, leaving the site’s patron data exposed.

Despite the scale of the migration, MBS had assigned a single employee to manually compile a list of application programming interface (API) configurations, without implementing second-layer checks. The omission went undetected for six months, during which patron data remained unprotected.

PDPC said MBS’ failure to put in place adequate security processes amounted to a negligent contravention of its obligations under the PDPA. As a large enterprise with significant resources, the commission noted, MBS was expected to have stronger data protection measures in place.

The penalty was issued under the revised financial penalty framework introduced by the Personal Data Protection (Amendment) Bill 2021, which allows fines of up to 10% of a company’s annual turnover for organisations with yearly revenue exceeding S$10 million.

In determining the penalty, PDPC said it considered the scale of the breach and MBS’ voluntary admission of liability, as well as its prompt remediation measures, which included reactivating security protections for the affected website on the same day the issue was discovered.

The commission reiterated that protecting consumers’ personal data is key to maintaining public trust and said it will continue to take enforcement action against organisations found in breach of the PDPA.

MARKETING-INTERACTIVE has reached out to MBS for a statement.

This latest enforcement follows a similar case in August last year, when the Consumers Association of Singapore (CASE) was fined S$20,000 for breaching protection and accountability obligations under the PDPA. The regulator found that CASE failed to implement reasonable security measures and necessary data protection policies, leading to two separate breaches that exposed the personal data of more than 30,000 individuals.