Man fined $21,000 by PDPC for misusing customer data
SINGAPORE — A mobile phone retailer was indicted on Friday (March 11) for using its customers’ details to register prepaid SIM cards and reselling them without their consent.
This is the first case under the Personal Data Protection Act (PDPA) involving gross misuse of individuals’ personal data to activate and resell SIM cards for financial gain.
Neo Yong Xiang, 30, was charged with two counts of cheating in connection with his alleged misuse of computer systems containing personal customer data in the commission of the offences. Neo, the sole owner of Yoshi Mobile, was also fined $21,000 by the Personal Data Protection Commission (PDPC).
The offense of cheating is punishable by imprisonment for up to three years, or a fine, or both.
A person found guilty of gaining access to a computer with the intent to commit or facilitate the commission of an offense may be liable to imprisonment for up to 10 years, a fine of up to up to $50,000, or both.
At least 78 people concerned
Neo misused the data of at least 78 people who purchased prepaid M1 SIM cards from its mobile phone shop in Geylang Road, according to the PDPC.
Using a terminal that captures customer data for the purpose of SIM card registration, Neo exploited the registration process to use data without consent to register for M1 SIM cards additional prepaid cards that its customers had no intention of buying.
From 2018 to 2020, by selling these illicit SIM cards to anonymous customers, Neo estimated that he earned around $15,000, or around 100 cards per year, priced at $50 each. The personal data unlawfully collected included customers’ names, addresses and NRIC numbers.
Thus, from January to November 2020, there were 3,636 Do Not Call (DNC) complaints from people who received messages announcing the sale or rental of a property while their telephone numbers are registered in the DNC register.
Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered to Yoshi.
Fine reduced on appeal
According to its reasons for decision, the PDPC initially imposed a monetary penalty of $35,000 on Neo.
“(His) culpability is more egregious as his breach involved the intentional misuse of personal data from a position of trust, over an extended period, for personal financial gain,” the PDPC said.
Nevertheless, the PDPC took into account Neo’s “difficult financial situation” at the time of the offenses as he had low savings and monthly income, and was also responsible for servicing, among other things, loans for housing, vehicles and renovation.
Neo was also responsible for paying his parent’s medical bills. He claimed it would cause him “undue hardship” if he faced a heavy financial penalty.
“When imposing financial sanctions, the Commission may take into account the personal and financial situation of the organisation/individual, bearing in mind that the financial sanctions imposed must avoid imposing a crushing burden or to cause undue hardship to organizations,” the PDPC said.
In this regard, the PDPC reduced the financial penalty to $21,000 on an “exceptional” basis, to be paid in 18 monthly installments on the due dates.
Stay informed on the go: Join Yahoo Singapore’s Telegram channel at http://t.me/YahooSingapore