PDPC enforcement history — selected PDPA fines
Last reviewed: June 2026. Source: PDPC commission's decisions register.
This page summarises selected PDPC enforcement actions to give Singapore businesses a realistic sense of how PDPA fines actually land. Every case below links to the original PDPC decision. The full register is at pdpc.gov.sg/all-commissions-decisions.
Headline cases
| Year | Organisation | Financial penalty | Affected individuals | Cause |
|---|---|---|---|---|
| 2019 | SingHealth Services | SGD 250,000 | ~1.5 million | Failure to put in place reasonable security arrangements; 2018 cyberattack |
| 2019 | Integrated Health Information Systems (IHiS) | SGD 750,000 | ~1.5 million | Failure to protect SingHealth patient data; same 2018 cyberattack |
| 2024 | Carousell | SGD 58,000 | ~1.95 million accounts | Compromised admin account; data exposed via API misconfiguration |
| 2022 | MyRepublic | SGD 60,000 | ~79,388 | Unauthorised access to subscriber proof-of-identity documents |
| 2021 | AIA Singapore | SGD 10,000 | — | Disclosure of personal data of policyholders to incorrect recipients |
| 2018 | Grabcar | SGD 6,000 | — | Email containing GrabHitch driver data sent to wrong recipients |
What changed in October 2022
The maximum financial penalty was raised to whichever is higher of:
- 10% of the organisation's annual turnover in Singapore — for organisations whose SG turnover is above SGD 10 million; OR
- SGD 1 million.
For most SMEs the SGD 1 million floor remains the practical ceiling. For large organisations the turnover-percentage cap is materially higher. PDPC has not (as of writing) issued a fine at the new 10%-turnover ceiling, but the policy direction is to align with GDPR-style enforcement.
What PDPC actually fines for (pattern)
Reading across the cases:
- Failures of Obligation 6 (Protection) dominate — reasonable security arrangements not in place, misconfigured cloud, exposed databases, poor access control.
- Phishing-led account takeovers leading to mass-data exposure are an increasingly common cause of large fines.
- Non-cyber causes (email-to-wrong-recipient, lost USB drives) still produce fines — usually in the SGD 5,000–25,000 band.
- The cyber-attack defence "our security was sophisticated but the attacker was more so" is generally not accepted; PDPC looks at reasonable arrangements relative to the data.
How cyber insurance helps: regulatory-defence cover pays for the legal costs of responding to a PDPC inquiry — which dwarfs the fine itself in most SME cases. The financial penalty (where insurable) may also be covered by a sublimit. Get quotes that disclose each insurer's regulatory-defence and fine sublimit.