SINGAPORE — A computer services provider has been slapped with a S$4,000 fine for a technical error that disclosed the personal data of more than 400 national servicemen last year.

The service provider, Option Gift, was in charge of Uniqrewards, an online portal through which NSmen redeem credits and gifts given by the Ministry of Defence (Mindef) and the Ministry of Home Affairs (MHA).

Releasing its grounds of decision in a report on Thursday (June 6), the Personal Data Protection Commission (PDPC) found that the company had failed to conduct “sufficient testing” before rolling out an erroneous programme script.

Last May, an employee at Option Gift failed to reset a service account password, and 427 servicemen did not receive confirmation emails for their redemption requests as a result.

The company detected this issue and, in an attempt to rectify the situation, wrote a separate programme script to regenerate and send out the confirmation emails.

However, this programme script was erroneous and caused the personal data of the NSmen to be sent to each other.

The report stated that the first recipient received the confirmation email that was intended for him as well as the confirmation emails for all the other 426 recipients.

The second recipient received the email that was intended for him as well as those for the subsequent 425 recipients, with the pattern continuing till the last NSmen.

As a result, the personal data of up to 426 NSmen were accidentally disclosed.

The data comprised the NSmen’s login identification for the online portal, their email addresses, delivery addresses and mobile phone numbers.

Upon discovering the mistake, the company emailed the affected NSmen an apology and asked them to delete all emails not intended for them.

It also informed the PDPC and gave the affected individuals an S$80 gift voucher as a gesture of apology.

The PDPC received complaints from two NSmen on June 12 and 13 last year.

To prevent the recurrence of similar errors, Option Gift introduced a standard operating procedure to document the process of resending confirmation emails.

Under this procedure, only authorised users, with the approval of the company’s data protection officer, may resend confirmation emails. An audit trail would also be created during this process.

In addition, all changes to the portal would be subjected to secondary checks.

The PDPC stated in its report that the service provider had failed to protect personal data in its possession under Section 24 of the Personal Data Protection Act. As such, the company could have been fined up to S$1 million.

In meting out the S$4,000 fine, the PDPC took into account the remedial actions taken by the company to enhance its backend system.

It also took into consideration the fact that the company had “voluntarily” notified the PDPC of the breach, and took “prompt action” by informing the affected individuals via email.