The Cellar Door fined after users' data posted on another website
The Cellar Door, a well-known local seller of gourmet products including wine and cheese, has been fined $5,000 for failing to protect the personal data of some customers and users from being posted on another website without authorisation.
Its website host, Global Interactive Works (GIW), was also fined $3,000 by the Personal Data Protection Commission (PDPC).
The Cellar Door was also ordered to conduct a security audit and patch all identified vulnerabilities on its website.
The move follows a commission probe when unauthorised postings were found on a website known as Pastebin in September 2014 of the personal data of customers and users of The Cellar Door's website.
PUT AT RISK
"Although not all the personal data of the customers of Cellar Door had been disclosed on the Pastebin website, given the inadequacies of (Cellar Door and GIW's) security measures, the entire customer database was put at risk," said the PDPC in decision grounds issued last week.
The unauthorised data included customers' full names, residential phone, addresses, e-mail addresses and passwords.
The Cellar Door was unaware of the disclosures until it was notified by the commission.
GIW said its engineers were unable to determine why the data was disclosed on Pastebin.
The Personal Data Protection Act obliges an organisation and its data intermediary to make reasonable security arrangements to protect and prevent the illicit access and use of data entrusted to them.