Spize website fined SG$20K following data breach


Data regulators in Singapore have issued a takeaway restaurant, Spize, with a fine of SG$20K (£11,736) for a data breach and several further data law transgressions.

Singapore’s data regulator, the Personal Data Protection Commission (PDPC) was told by a member of public on 12th August 2017 that personal data was publicaly accessible through the Spize website.

The personal and private details of around 148 customers were accessible through the takeaway cuisine’s online portal, with compromised data including names, contact details, phone numbers, email addresses and residential addresses.

After learning of the breach, the outlet turned to US-based web specialists, Novadine to help shore up security and shut down the breach. A subsequent PDPC review says that public access to the information was sealed off four days after breach notification had been received.

The PDPC deemed that Spize had failed to implement sufficient cyber security measures to mitigate data breach incidents. The regulator said that Spize’s response to the breach illustrated how its managing director, through whose account the link was first activated, was unaware of the effects the link’s activation would have.

Highlighting a lack of security expertise, the PDPC noted how the firm had to depend on Novadine to describe how the website’s ordering system worked. Management at Spize failed to define Novadine’s role in terms of processing, protecting and managing personal data handled through Spize.

Investigations also revealed that Spize had no password policy at the time of the data breach and that the managing directors admin account passcode had not been regularly amended to offset risk of intrusion.

Only in late August 2017 did the company appoint a data protection officer, a failure that has served as an aggravating factor within the PDPC’s judgement and subsequent penalty exercised over the company.



Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.