pdpc_decisions
Data source: pdpc.gov.sg/All-Commissions-Decisions · About: hueyy/lacuna-db
257 rows sorted by timestamp descending
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit, timestamp (date), tags (array)
_id | _item_id | description | tags | date | pdf-url | nature | title | url | timestamp ▲ | pdf-content | decision | _commit | financial_penalties |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
257 | bb5371752caf02cca3cab7ebc2d86649c2edfc2a | A financial penalty of $20,000 was imposed on Consumers’ Association of Singapore for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control, and failing to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. | [ "Protection", "Accountability", "Financial Penalty", "Directions", "Others", "Policies" ] |
28 Aug 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_consumers-association-of-singapore_09072024.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Consumers’ Association of Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2024/08/breach-of-the-protection-and-accountability-obligations-by-consumers-association-of-singapore | 2024-08-28 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPC 4 Case No. DP-2210-C0303 & DP-2306-C1172 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Consumers’ Association of Singapore (CASE) … Organisation DECISION 1 Consumers’ Association of Singapore (CASE) Wong Huiwen Denise, Deputy Commissioner — Case No. DP-2210-C0303 & DP2306-C1172 9 July 2024 Introduction 1 On 11 October 2022, the Consumers’ Association of Singapore (CASE) (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a data breach incident involving a threat actor accessing the Organisation’s email accounts, and sending phishing emails on 8 October 2022 and 9 October 2022 with the Organisation’s official email addresses1 (“Incident 1”). 2 The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) in relation to Incident 1. 3 On 22 June 2023, while the Commission was still investigating Incident 1, the Commission received a complaint against the Organisation regarding another data breach incident involving phishing emails being sent to the Organisation’s consumers, from email addresses which did not originate from the Organisation’s domain (“Incident 2”). Hence, the Commission also initiated investigations to determine the Organisation’s compliance with the PDPA in relation to Incident 2. 1 The email addresses were “[email protected]” and “[email protected]”. 2 4 The Organisation requested for Incident 1 to be handled under the Expedited Breach Decision Procedure (“EDP”), which the Commission acceded to. After the Commission commenced its investigations into Incident 2, the Organisation likewise requested for this incident to be handled under EDP, which the Commission also acceded to. To this end, the Organisation voluntarily and unequivocally admitted to all the facts set out in this decision, and also to contraventions of sections 24 and 12(a) of the… | Financial Penalty, Directions | 1581 | { "sum": 20000, "max": 20000 } |
255 | 5ff691e27725e106c6573b5bccbbe027d9d2beeb | A financial penalty of $9,000 was imposed and directions were issued to Academy of Medicine Singapore for failing to put in place reasonable security arrangements to protect the personal data of current and former members of the institution. | [ "Protection", "Financial Penalty", "Directions", "Education", "Ransomware", "Vulnerability" ] |
02 Aug 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_academy-of-medicine-singapore_10062024.pdf | Protection | Breach of the Protection Obligation by Academy of Medicine Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2024/07/breach-of-the-protection-obligation-by-academy-of-medicine-singapore | 2024-08-02 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPCS 4 Case No. DP-2308-C1326 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Academy of Medicine Singapore SUMMARY OF THE DECISION 1 Academy of Medicine Singapore (the “Organisation”) is a professional institution providing postgraduate medical education and specialist training in Singapore. On 4 August 2023, the Personal Data Protection Commission (the “Commission”) was informed about a data breach incident involving the Organisation’s servers being infected by ransomware on or about 13 July 2023. Consequently, personal data of 6,574 individuals had been exfiltrated and posted on the dark web (the “Incident”). 2 The Organisation requested, and the Commission agreed, for the investigation to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. 1 It also admitted to a breach of the Protection Obligation under Section 24 of the Personal Data Protection Act 2012 (the “PDPA”). Facts of the Case 3 The Organisation first discovered malware artifacts in its servers after reports by staff members of network connectivity issues on 13 July 2023. The Organisation immediately disconnected the affected servers and sought an external IT forensic investigator to investigate the extent of the Incident and undertake remedial action. 4 Investigations revealed that data from the Organisation had been uploaded on the dark web (the “Leaked Data”), including full credit card information of over 1,000 individuals. Separately, a total of 4.4TB of files in the Organisation’s servers had been encrypted due to ransomware deployment. 5 From system event logs, upon gaining initial entry the threat actor accessed 6 servers (the “Affected Servers”) and 1 staff computer using Remote Desktop Protocol (“RDP”) connections, then deployed malicious tools that could harvest credentials within folders and disarm antivirus and thr… | Financial Penalty, Directions | 1577 | { "sum": 9000, "max": 9000 } |
256 | 725d0749c87021c016cce5235c7a2977c82c8fc6 | A financial penalty of $120,000 was imposed on Keppel Telecommunications & Transportation for failing to put in place reasonable security arrangements to protect the personal data of employees, ex-employees, directors and shareholders in its possession or under its control. | [ "Protection", "Financial Penalty", "Transport and Storage" ] |
02 Aug 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_keppel-telecommunications--transportation-ltd_14052024.pdf | Protection | Breach of the Protection Obligation by Keppel Telecommunications & Transportation | https://www.pdpc.gov.sg/all-commissions-decisions/2024/07/breach-of-the-protection-obligation-by-keppel-telecommunications-transportation | 2024-08-02 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPC 3 Case No. DP-2210-C0378 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Keppel Telecommunications & Transportation Ltd … Organisation DECISION Keppel Telecommunications & Transportation Ltd 2024 SGPDPC 3 Lew Chuen Hong, Commissioner — Case No. DP-2210-C0378 14 May 2024 Introduction 1 On 21 October 2022 and 28 October 2022, the Personal Data Protection Commission (the “Commission”) received notifications from Geodis Logistics Singapore Pte. Ltd. (“GLS”) and Keppel Telecommunications & Transportation Ltd (the “Organisation”) respectively about a data breach incident (the “Incident”) involving unauthorised access and exfiltration of personal data from servers belonging to GLS. One of the affected servers (the “Affected Server”) contained the personal data of, amongst others, the Organisation’s employees, ex-employees, directors and shareholders (the “Personal Data”). 2 Subsequently, the Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). 3 After carrying out preliminary investigations, on 27 February 2023, the Commission accepted a voluntary undertaking from GLS pursuant to section 48(L)(1)(a) of the PDPA for GLS to implement enhanced security arrangements. No further enforcement action was taken against GLS. 2 4 On 2 March 2023, the Organisation requested for the investigation to proceed under the Expedited Decision Procedure, which the Commission acceded to. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision, and to the Organisation’s breach of section 24 of the PDPA. Facts of the Case Relationship between Organisation and GLS 5 At the material time, the Organisation provided logistics and data centre services, with operations across Asia Pacific and Europe. 6 Prior to 1 July 2022, the Organisation was the sole sha… | Financial Penalty | 1577 | { "sum": 120000, "max": 120000 } |
253 | 3569f8647d505718e193ade0255f3d3b7bb61e82 | A financial penalty of $18,000 was imposed on CH Offshore for failing to put in place reasonable security arrangements to protect customers' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Directions", "Transport and Storage", "Ransomware", "Vulnerability" ] |
04 Jul 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_ch-offshore-ltd_17042024.pdf | Protection | Breach of the Protection Obligation by CH Offshore | https://www.pdpc.gov.sg/all-commissions-decisions/2024/06/breach-of-the-protection-obligation-by-ch-offshore | 2024-07-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2304-C0872 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CH Offshore Ltd. … Organisation DECISION Page 1 of 18 CH Offshore Ltd. [2024] SGPDPC 2 Wong Huiwen Denise, Deputy Commissioner — Case No. DP-2304-C0872 17 April 2024 Introduction 1 CH Offshore Ltd. (the “Organisation”) is an owner-operator and ship manager of offshore support vessels for the offshore marine oil and gas sector. On 3 April 2023, the Organisation filed a Data Breach Notification (“DBN”) to the Personal Data Protection Commission (the “Commission”) regarding a ransomware attack on its servers on or about 28 March 2023 that led to a loss of access to the Organisation’s shared drives and the encryption of files containing personal data (the “Incident”). 2 The Organisation requested for the matter to be handled under the Commission’s Expedited Breach Decision Procedure (“EDP”). This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out below; and admitted that it was in breach of section 24 of the Personal Data Protection Act 2012 (the “PDPA”). Page 2 of 18 Facts of the Case 3 The Organisation’s employees discovered that they could no longer access the files in the shared drives in the morning of 29 March 2023. Thereafter, the Organisation immediately disconnected the affected servers and sought external IT forensics to investigate the extent of the Incident and undertake remedial action. 4 Investigations revealed that the files had been encrypted by one ransomware- as-a-service (RaaS) threat known as “Alpha aka Blackcat” (the “Threat Actor”). Investigations found that there were suspicious virtual private network (“VPN”) connections over Remote Desktop Protocol at the time of the Incident, suggesting that the Threat Actor likely gained access to the Organisation’s network using two VPN accounts that belonged to an employee and its outsourced IT vendor respectively. 5 Even though th… | Financial Penalty, Directions | 1571 | { "sum": 45000, "max": 27000 } |
254 | 1f67286e8799ae6f6fc2ab62caee2d169e7cd720 | A financial penalty of $7,000 was imposed on Tok Leng Leng t/a Top Mobile Gallery (BR) for failing to put in place reasonable security arrangements to protect against the unauthorised use of and access to customers’ personal data for registration of pre-paid SIM cards. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade" ] |
04 Jul 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_tok-leng-leng-(trading-as-top-mobile-gallery-(br))_01032024.pdf | Protection | Breach of the Protection Obligation by Tok Leng Leng t/a Top Mobile Gallery (BR) | https://www.pdpc.gov.sg/all-commissions-decisions/2024/06/protection-obligation-by-tok-leng-leng-ta-top-mobile-gallery | 2024-07-04 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPCS 1 Case No. DP-2208-C0053 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tok Leng Leng (trading as Top Mobile Gallery (BR)) SUMMARY OF THE DECISION Introduction 1. Between the period December 2020 to April 2021, the Personal Data Protection Commission (“the Commission”) received 435 Do Not Call (“DNC”) complaints relating to property messages, despite their numbers being registered with the DNC Register. The complaints were traced to 44 M1 pre-paid SIM cards sold by Tok Leng Leng (trading as Top Mobile Gallery (BR)) (“Organisation”), located in a foreign worker dormitory at 2 Seletar North Link. 2. The Commission commenced investigations into the Organisation for suspected breaches under the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3. The 44 M1 pre-paid SIM cards were registered under 33 unique individuals who were foreign workers. Investigations confirmed that these foreign workers lived in the dormitory at 2 Seletar North Link, and had purchased pre-paid SIM cards from the Organisation. Additional pre-paid SIM cards were registered under their names even though they had not in fact purchased these SIM cards (the “illicit SIM cards”). 4. As a retailer of M1 SIM cards, the Organisation used a terminal device issued by M1 for the purposes of SIM card registration. The SIM card registration process with the M1 terminal device was as follows: a. First, the customer’s identity document (e.g. identity card, passport, work pass etc.) would be scanned using the terminal device, which is connected directly to M1’s registration system. The system would capture the customer’s particulars, and whether the customer had reached the limit of 3 pre-paid SIM cards. b. Next, the barcode of the SIM card(s) would be scanned so that they could be tagged to the registered customer. c. Finally, the retailer would use a mobile application to load credit value to the prepaid SIM card(s) to acti… | Financial Penalty | 1571 | { "sum": 14000, "max": 7000 } |
250 | c22be6226448cf3c1dc42c5915ec0238a239eab8 | Directions were issued to Cortina Watch for failing to put in place reasonable security arrangements to protect individuals' personal data in its possession or under its control. | [ "Protection", "Directions", "Wholesale and Retail Trade", "Ransomware", "Access control" ] |
23 May 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_cortina-watch-pte-ltd_280324.pdf | Protection | Breach of the Protection Obligation by Cortina Watch | https://www.pdpc.gov.sg/all-commissions-decisions/2024/05/breach-of-the-protection-obligation-by-cortina-watch | 2024-05-23 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPCS 3 Case No.: DP-2306-C1102 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Cortina Watch Pte. Ltd. SUMMARY OF THE DECISION 1. Cortina Watch Pte. Ltd. (the “Organisation”) is mainly involved in the retail, import, and export of timepieces, branded pens, and luxury accessories. On 5 June 2023, the Personal Data Protection Commission (the “Commission”) received a Data Breach Notification (“DBN”) filed by the Organisation, regarding a ransomware attack on its server (the “Incident”). 2. The Organisation subsequently confirmed that the personal data of 3,953 individuals had been accessed and exfiltrated in the Incident. The breakdown of the different types of personal data affected for the individuals was as follows: 1 Types of Personal Data Affected No. of Affected Individuals Full Name + Contact Number 1,380 Full Name + Address + Any Other Details 930 Full Name + Email 688 Full Name + Date of Birth + Any Other Details 645 Full Name + NRIC/Passport Number + Any 234 Other Details Full Name + Email + Any Other Details 68 Full Name + Bank Account Number + Any 8 Other Details 3. The Commission acceded to the Organisation’s request for the matter to be handled under the Commission’s Expedited Breach Decision Procedure (“EDP”). This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out below and admitted that it was in breach of section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 4. Based on the Commission’s own investigations and the efforts of an IT forensic investigation firm engaged by the Organisation, it was determined that the Organisation had experienced multiple brute force attacks between 30 April to 4 June 2023. On 27 May 2023, a Virtual Private Network (“VPN”) account which the Organisation had been using to test VPN access to live environments was compromised. The threat actor successfully accessed a password-protected master… | Directions | 1042 | { "sum": 0, "max": 0 } |
251 | f39794f21de266c20d1c288071d25d7ca2e28fdd | A financial penalty of $28,000 was imposed on Horizon Fast Ferry for failing to put in place reasonable security arrangements to protect its platform users' personal data in its possession or under its control. | [ "Protection", "Accountability", "Financial Penalty", "Arts, Entertainment and Recreation" ] |
23 May 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_horizon-fast-ferry-pte-ltd_21022024.pdf | Protection, Accountability | Breach of the Protection Obligation by Horizon Fast Ferry | https://www.pdpc.gov.sg/all-commissions-decisions/2024/05/breach-of-the-protection-obligation-by-horizon-fast-ferry | 2024-05-23 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPC 1 Case No. DP-2304-C0943 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. … Organisation DECISION Horizon Fast Ferry Pte. Ltd. [2024] SGPDPC 1 Denise Wong, Deputy Commissioner - Case No. DP-2304-C0943 21 February 2024 Introduction 1. On 25 April 2023, Horizon Fast Ferry Pte. Ltd. (the “Organisation”), a Singapore-based ferry operator, that provides ferries between Singapore and Batam, Indonesia, notified the Personal Data Protection Commission (the “Commission”) that there had been unauthorised access and exfiltration of the personal data of 108,488 individuals who booked tickets on the Organisation’s website from its server (the “Incident”). 2. The personal data affected included the individuals’ name, passport number, date of birth, passport issue and expiry date, nationality, email address (if provided) and telephone number (if provided). 3. The Organisation requested, and the Commission agreed, for this matter to be handled under the Commission’s Expedited Decision Procedure. This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out in this Decision and that it was in breach of section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 2 4. Section 24 of the PDPA requires an organisation to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks (the “Protection Obligation”). Facts of the Case 5. The Organisation admitted that it does not have its own Information Technology (“IT”) department. The Organisation relied informally on the goodwill of a single individual (the “IT Supervisor”) employed by an overseas IT vendor (the “IT Support Vendor”) who had access to the Organisation’s IT systems to provide IT support. 6. The Organisation did not have any se… | Financial Penalty | 1042 | { "sum": 82000, "max": 54000 } |
252 | 0ef153e22e3e991ba025f26faa65a1019647b7ca | A financial penalty of $74,000 was imposed on PPLingo for (i) failing to put in place reasonable security arrangements to protect individuals' personal data in its possession or under its control; and (ii) not appointing any individual to ensure its compliance with PDPA. | [ "Protection", "Financial Penalty", "Education" ] |
23 May 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_pplingo-pte-ltd-(revised)_241023.pdf | Protection | Breach of the Accountability and Protection Obligations by PPLingo | https://www.pdpc.gov.sg/all-commissions-decisions/2024/05/breach-of-the-accountability-and-protection-obligations-by-pplingo | 2024-05-23 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 12 Case No. DP-2205-B9761 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PPLingo Pte Ltd … Organisation DECISION Page 1 of 19 PPLingo Pte. Ltd. Lew Chuen Hong, Commissioner — Case No. DP-2205-B9761 24 October 2023 Introduction 1 On 8 May 2022, PPLingo Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a data breach incident involving unauthorised access to personal data contained within the Organisation’s online education platform (the “Incident”). 2 The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) in relation to the Incident. 3 The Organisation requested for this matter to be handled under the Expedited Breach Decision Procedure, which the Commission acceded to. To this end, the Organisation voluntarily and unequivocally admitted to all the facts set out in this decision, and also to contraventions of Sections 11(3) and 24 of the PDPA (as explained below). Page 2 of 19 Facts of the Case 4 The Organisation is a company incorporated in Singapore and operates an online Chinese and English language learning platform that offers virtual classes to its students aged 4 to 15 years old globally (“LingoAce”). 5 The LingoAce platform incorporates an operations support system (“OPS System”) which provides teacher management, student management and class scheduling management functions. The personal data of the Organisation’s students, parents, teachers and other staff (including teachers and staff formerly employed by the Organisation) (“Users”) was stored in the OPS System. 6 At the time of the Incident, the Organisation had in place a written data protection policy and had implemented certain security measures for the LingoAce platform, including network access control measures, and firewall protection for the OPS System. The Organisation had also organised t… | Financial Penalty | 1042 | { "sum": 148000, "max": 74000 } |
249 | 54f4d6163cb5798781cd4dc6716927fefc0c30b5 | A financial penalty of $4,000 was imposed on Payroll2U for failing to put in place reasonable security arrangements to protect its client’s employees' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Employment", "Ransomware" ] |
22 Apr 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_payroll2u-pte-ltd_070324.pdf | Protection | Breach of the Protection Obligation by Payroll2U | https://www.pdpc.gov.sg/all-commissions-decisions/2024/04/breach-of-the-protection-obligation-by-payroll2u | 2024-04-22 | PERSONAL DATA PROTECTION COMMISSION [2024] SGPDPCS 2 Case No. DP-2303-C0848 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Payroll2U Pte. Ltd. SUMMARY OF THE DECISION 1. Payroll2U Pte. Ltd. (the “Organisation”) is a payroll service provider that offers payroll outsourcing services and online payroll Software as a Service (SaaS) solutions. 2. On 27 March 2023, the Personal Data Protection Commission (the “Commission”) was notified by the Organisation that the personal data of its client’s employees had been posted on a ransomware leak site. The leak arose from a ransomware attack on the servers of the Organisation around 29 December 2022 (the “Incident”). 3. On 16 January 2023, the Organisation received extortion emails from a threat actor identified as a LockBit affiliate. The Organisation immediately conducted an internal investigation and engaged an external forensics investigator to investigate the Incident and undertake remedial actions. Upon further investigations, it was determined that a total of 81.95 GB of data had been exfiltrated in the Incident and posted on the dark web. The personal data of 5,640 employees from the Organisation’s client was affected, including their full name, bank account number, salary information, NRIC number, address, date of birth and email address. 4. Investigations revealed that unauthorised activity had occurred from 29 December 2022 to 16 January 2023, with a single compromised account used for Remote Desktop Protocol (RDP) access to five servers on the Organisation’s AWS environment. Once connected to the working network, the threat actor gained unauthorised access to the developer’s drive and the company’s shared drive that were both mapped to the compromised account. These drives gave access to the affected personal data. 5. While the investigations were unable to conclusively determine how the threat actor obtained the credentials to the compromised user account, the investigation revealed the foll… | Financial Penalty | 1037 | { "sum": 4000, "max": 4000 } |
247 | 04fbdcd98bcc4a95808474d7e1a70511aabbfe8b | A financial penalty of $16,800 and Directions were imposed on a registered salesperson of an estate agency for failing to obtain consent and inform individuals of the purposes for collecting and using their personal data. | [ "Consent", "Notification", "Financial Penalty", "Directions", "Real Estate" ] |
21 Mar 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_leecheemeng_29122023.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by a Registered Salesperson | https://www.pdpc.gov.sg/all-commissions-decisions/2024/03/breach-of-the-consent-and-notification-obligations-by-a-registered-salesperson | 2024-03-21 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 14 Case No. DP-2211-C0404 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Lee Chee Meng … Organisation DECISION 1 Lee Chee Meng Wong Huiwen Denise, Deputy Commissioner — Case No. DP-2211-C0404 29 December 2023 Introduction 1 On 8 November 2022, the Personal Data Protection Commission (the “Commission”) received a complaint regarding the possible unauthorised collection and use of personal data by Mr Lee Chee Meng (the “Respondent”) for telemarketing purposes. The Commission subsequently commenced investigations to determine whether the circumstances disclosed any breaches by the Respondent of the Personal Data Protection Act 2012 (“PDPA”). 2 Based on the Commission’s investigations, the facts disclose a straightforward breach of the PDPA. In particular, the Respondent admits to committing the infringing acts. The Commission has accordingly found the Respondent in breach of sections 13 and 20 of the PDPA. Facts of the Case 3 The Respondent is a registered salesperson under the Estate Agents Act 2010. He is appointed by ERA Realty Network Pte Ltd (“ERA”) to engage in estate agency work and to otherwise promote the business of servicing the public in real estate transactions. 2 4 At all material times, the Respondent is and was an independent agent of ERA who receives commissions in respect of real estate services or transactions entered into between customers and ERA. 5 The Respondent was upfront in admitting that he has been purchasing personal data from unknown third parties for telemarketing purposes for approximately 10 years from 2013. 6 In the course of 2021, the Respondent purchased 5 sets of personal data amounting to about 420,000 records (the “Purchased Data”) from an individual with a foreign phone number known to the Respondent only as “Ali” (the “Seller”). The Respondent came to know of the Seller through social media and would communicate with the Seller over Whatsapp, f… | Financial Penalty, Directions | 1028 | { "sum": 28000, "max": 28000 } |
248 | 9b8a28458b9096ecc4131cb76c3d744cd42eea6a | A financial penalty of $9,000 was imposed on Whiz Communications for failing to put in place reasonable security arrangements to protect customers' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Information and Communications" ] |
21 Mar 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_whiz-communications-pte-ltd_20122023.pdf | Protection | Breach of the Protection Obligation by Whiz Communications | https://www.pdpc.gov.sg/all-commissions-decisions/2024/03/breach-of-the-protection-obligation-by-whiz-communications | 2024-03-21 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 7 Case No. DP-2304-C0935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Whiz Communications Pte. Ltd. SUMMARY OF THE DECISION Introduction 1 Whiz Communications Pte. Ltd. (the “Organisation”) is a Singapore telecommunications service provider offering broadband internet access, local and long-distance digital IP telephony, prepaid and postpaid calling plans. 2 On 22 April 2023, the Personal Data Protection Commission (the “Commission”) was alerted by the Singapore Police Force of a personal data breach incident involving the Organisation (the “Incident”), which the Organisation confirmed on 24 April 2023. 3 The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision and to a breach of the Protection Obligation under Section 24 of the PDPA. Section 24 of the Personal Data Protection Act 2012 (“PDPA”) requires an organisation to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks (the “Protection Obligation”). Facts of the Incident 4 The Organisation’s customer management system (“CMS”) was designed and developed in 2016 by an external vendor. This external vendor did not process personal data on behalf of the Organisation and was not the Organisation’s data intermediary. The Protection Obligation in respect of customer personal data processed by the CMS therefore fell solely on the Organisation. 5 The CMS from its initial design accepted any Python script requests that could be exploited for unauthorised exfiltration of customer personal data. This failure to block or manage scripts posed a data security risk and was a design flaw. 6 Post-Incident, the Organisation… | Financial Penalty | 1028 | { "sum": 9000, "max": 9000 } |
245 | 3880e49034bd13264b4a2b4d5439c54e53d59115 | A warning was administered to a financial advisor for: (i) using dictionary attack methods to generate telephone numbers; (ii) failing to obtain clear and unambiguous consent; and (iii) failing to check the DNC Register, before making marketing calls to DNC-registered individuals. | [ "Do Not Call Provisions", "Warning", "Finance and Insurance", "Telemarketing" ] |
22 Feb 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_kenny-lin_20102023.pdf | Do Not Call Provisions | Breach of Do-Not-Call ("DNC") Provisions by a Financial Advisor | https://www.pdpc.gov.sg/all-commissions-decisions/2024/02/breach-of-do-not-call-dnc-provisions-by-a-financial-advisor | 2024-02-22 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 6 Case No. ENF-DNC-230119-0007 & Others In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Lin DaoWen Kenny … Person SUMMARY OF THE DECISION 1. The Do Not Call Registry (“DNC Registry”) is a national database kept and maintained by the Personal Data Protection Commission (the “Commission”) pursuant to section 39 of the Personal Data Protection Act 2012 (“PDPA”). Persons may register their Singapore telephone numbers with the DNC Registry so as to not receive unsolicited telemarketing calls and messages. The DNC Registry comprises of 3 separate registers (i) the No Text Message Register, (ii) the No Voice Call Register, and (iii) the No Fax Message Register. 2. From January 2023 to July 2023, the Commission received twelve (12) complaints arising from unsolicited telemarketing calls made by Lin DaoWen Kenny (the “Individual”) to telephone numbers registered on the No Voice Call Register of the DNC Registry (the “Complaints”). 3. The Commission commenced investigations to determine whether there had been any breaches of the “Do Not Call” provisions in Parts 9 and 9A of the PDPA (“DNC Provisions”). This case also illustrates how the employment of online tools to generate Singapore telephone numbers to market products or services may lead to a breach of section 48B(1) of the PDPA. 4. The Individual is a financial advisor. In order to generate leads, he used an Excel spreadsheet formula (“randbetween”) to generate a list of all numbers upon entering the extreme ends on a numerical spectrum. The Individual generated 1000 numbers (the “Phone List”) with the intention of finding Singapore telephone numbers to market his financial advisory services. 5. Of the 1,000 numbers generated on the Phone List, 384 corresponded to Singapore telephone numbers that were registered with the No Voice Call Register of the DNC Registry. 6. The Individual engaged a telemarketer to make marketing calls to the numbers… | Warning | 1027 | { "sum": 0, "max": 0 } |
246 | dd910023c7806b72690a7c44e9ca4e348902f4c0 | A financial penalty of $58,000 was imposed on Carousell for failing to put in place reasonable security arrangements to protect the personal data of its platform users in its possession or under its control. Carousell was also directed to review its software testing procedures, processes and procedures for documenting functional and technical specifications of software and rectify any gaps identified from the reviews. | [ "Protection", "Financial Penalty", "Directions", "Others" ] |
22 Feb 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_carousell_28122023.pdf | Protection | Breach of the Protection Obligation by Carousell | https://www.pdpc.gov.sg/all-commissions-decisions/2024/02/breach-of-the-protection-obligation-by-carousell | 2024-02-22 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 13 Case No. DP-2209-C0166; DP-2210-C0312 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Carousell Pte. Ltd. … Organisation DECISION Carousell Pte. Ltd. Lew Chuen Hong, Commissioner — Case Numbers. DP-2209-C0166 and DP-2210C0312 28 December 2023 Introduction 1 Carousell Pte. Ltd. (“Carousell”) runs an online marketplace website and mobile application for the buying and selling of new and second-hand goods and services (the “Platform”). In recent years, the Platform has expanded to include property listings. The Platform is available to users in several markets, including Singapore, Malaysia, Taiwan, the Philippines, and Indonesia. 2 In 2022, Carousell notified the Personal Data Protection Commission (the “Commission”) of two data breach incidents: (a) On 5 September 2022, Carousell notified the Commission of a data breach incident involving the unauthorised disclosure of the personal data of 44,477 individuals across Singapore, Malaysia, Indonesia, Taiwan and the Philippines using Carousell’s Platform (the “1st Incident”). 2 (b) On 17 October 2022, Carousell notified the Commission of a separate and unrelated incident involving the sale of the personal data of at least 2.6 million1 individuals using Carousell’s Platform (the “2nd Incident”) (collectively, the “Incidents”). 3 The Commission commenced investigations to determine Carousell’s compliance with the Personal Data Protection Act 2012 (“PDPA”) in relation to the Incidents. On 13 February 2023, Carousell requested for the investigations into the Incidents to be handled under the Commission’s Expedited Decision Procedure (“EDP”), which the Commission acceded to. To this end, Carousell voluntarily and unequivocally admitted to the facts set out in this decision and to its contravention of Section 24 of the PDPA in respect of the Incidents. Facts of the 1st Incident 4 Carousell’s Platform includes a chat function allowing potential … | Financial Penalty, Directions | 1027 | { "sum": 58000, "max": 58000 } |
244 | a11ebcd9504d649db8082bd0b3506f9e31c1dcdb | A financial penalty of $48,000 was imposed on Koh Wei Ming @ Muhammad Amin Koh (trading as Mobile Chat) for using his customers’ personal data to register for additional prepaid SIM cards without their consent. The additional SIM cards were then sold to anonymous and unauthorised purchasers who subsequently used them to send specified messages to individuals who were registered with the Do Not Call Register. | [ "Consent", "Purpose Limitation", "Financial Penalty", "Wholesale and Retail Trade", "Consent" ] |
17 Jan 2024 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_koh-wei-ming_171023.pdf | Consent, Purpose Limitation | Breach of the Consent and Purpose Limitation Obligations by Koh Wei Ming @ Muhammad Amin Koh (trading as Mobile Chat) | https://www.pdpc.gov.sg/all-commissions-decisions/2024/01/breach-of-the-consent-and-purpose-limitation-obligations-by-koh-wei-ming-@-muhammad-amin-koh | 2024-01-17 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 11 Case No. DP-2111-B9135 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Koh Wei Ming @ Muhammad Amin Koh (trading as Mobile Chat) … Organisation DECISION Page 1 of 11 Koh Wei Ming @ Muhammad Amin Koh (trading as Mobile Chat) Lew Chuen Hong, Commissioner — Case No. DP-2111-B9135 17 October 2023 Introduction 1 Between the period February 2020 – September 2021, the Personal Data Protection Commission (“the Commission”) received 1,391 complaints from members of the public who received marketing messages, despite their numbers being registered with the Do Not Call Register (“DNC Register”).1 The messages were traced to 95 prepaid SIM cards purchased from one Koh Wei Ming @ Muhammad Amin Koh (“KWM”), the sole proprietor of Mobile Chat (“the Organisation”). 2 The Commission commenced investigations to determine KWM’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3 The Organisation is in the business of the sale and servicing of mobile phones, as well as the sale of prepaid SIM cards and mobile phone accessories. It has operated since 2015 from a shop located in Geylang. As a retailer of M1 SIM cards, 1 Under Section 43 of the PDPA, a person is not allowed to send specified messages to a Singapore telephone number registered with the DNC register unless the person has, at the time where he sends the specified message, valid confirmation that the Singapore telephone number is not listed in the DNC register. Page 2 of 11 KWM was provided a terminal device by M1 installed at the Organisation’s premises for the purposes of SIM card registration (the “M1 Terminal Device”). The M1 Terminal Device was used for registration of SIM cards prior to December 2021. SIM card registration had to be carried out in accordance with the conditions of M1’s telecommunications licence granted under Section 5 of the Telecommunications Act (Chapt… | Financial Penalty | 1026 | { "sum": 48000, "max": 48000 } |
243 | 9066f37814011e1990672ee58da7723bab0431b0 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [ "Consent", "Notification", "Purpose Limitation", "Directions", "Others" ] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_tipros_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was … | Directions | 1026 | { "sum": 0, "max": 0 } |
241 | 94706922c7a950c933384f998d0081d2a615b9e6 | A financial penalty of $10,000 was imposed on Ascentis for failing to put in place reasonable security arrangements to protect individuals' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Admin and Support Services" ] |
10 Nov 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_ascentis_12092023.pdf | Protection | Breach of the Protection Obligation by Ascentis | https://www.pdpc.gov.sg/all-commissions-decisions/2023/10/breach-of-the-protection-obligation-by-ascentis | 2023-11-10 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 10 Case No. DP-2209-C0193 / DP-2209-C0217 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Ascentis Pte. Ltd. … Organisation DECISION 1 Ascentis Pte. Ltd. Wong Huiwen Denise, Deputy Commissioner - Case No. DP-2209-C0193 / DP2209-C0217 12 September 2023 Introduction 1 On 13 September 2022, the Personal Data Protection Commission (the “Commission”) was notified by the Singapore Computer Emergency Response Team that the personal data of 332,774 individuals had been exfiltrated from an eCommerce platform (the “Platform”) owned by Starbucks Coffee Singapore Pte Ltd (“Starbucks SG”) and offered for sale online (the “Incident”). 2 The Commission commenced investigations to determine whether the circumstances of the Incident disclosed any contraventions of the Personal Data Protection Act 2012 (“PDPA”). For the reasons set out below, the Commission determined that the developer of the Platform, Ascentis Pte Ltd (“the Organisation”) had contravened section 24 of the PDPA (“the Protection Obligation”) in the context of the Incident. 3 The Organisation requested and agreed for the investigation to be handled under the Commission’s Expedited Breach Decision Procedure, and voluntarily provided and admitted to the facts set out below. The Organisation also admitted that 2 it had failed to implement reasonable security arrangements to protect the personal data exfiltrated during the Incident, in breach of the Protection Obligation. 4 The Commission also accepted a voluntary undertaking from Starbucks SG pursuant to section 48L(1)(a) of the PDPA for Starbucks SG to implement enhanced security arrangements to improve its compliance with the PDPA1. No further enforcement action was taken against Starbucks SG. Facts of the Case The CRM System and CRM Database 5 The Organisation is in the business of developing, providing and integrating software solutions for Customer Relationship Management and eCommerce. … | Financial Penalty | 1026 | { "sum": 10000, "max": 10000 } |
242 | 7a4a4651a7c96f00e8c2c8419676eae40aaa59a6 | A financial penalty of $82,000 was imposed on Tokyo Century Leasing for failing to put in place reasonable security arrangements to protect individuals' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Finance and Insurance", "Vulnerability" ] |
10 Nov 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_tokyo_century_leasing_040923.pdf | Protection | Breach of the Protection Obligation by Tokyo Century Leasing | https://www.pdpc.gov.sg/all-commissions-decisions/2023/10/breach-of-the-protection-obligation-by-tokyo-century-leasing | 2023-11-10 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 9 Case No. DP-2206-B9897 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tokyo Century Leasing (Singapore) Pte. Ltd. … Organisation DECISION Page 1 of 14 Tokyo Century Leasing (Singapore) Pte. Ltd. Lew Chuen Hong, Commissioner - Case No. DP-2206-B9897 4 September 2023 Introduction 1 On 14 June 2022, the Personal Data Protection Commission (the “Commission”) was notified by Tokyo Century Leasing (Singapore) Pte. Ltd. (the “Organisation”) of a ransomware attack which resulted in the encryption of the personal data of 141,412 individuals (“Incident”). 2 The Organisation requested that the investigation be handled under the Commission’s Expedited Breach Decision Procedure. The Organisation voluntarily provided and admitted to the facts set out below, and admitted that it had failed to implement reasonable security arrangements to protect the personal data accessed and encrypted during the Incident, in breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 The Organisation is in the leasing and hire-purchase business. It operates a website through which existing or potential customers may submit applications to enter into hire-purchase or leasing agreements. Page 2 of 14 4 On 12 June 2022, the Organisation was notified by a customer that he was unable to submit an online application. The Organisation conducted an internal investigation and discovered that 7 servers and 6 employee computers had been infected with ransomware, resulting in the encryption of the personal data of 141,412 individuals, comprising: a) 111,156 customers whose personal data consisted of name, NRIC number, date of birth, address, contact number, income statement, email address, employer information, bank account, and additionally for foreign customers, their passport numbers and employment pass numbers; b) 30,220 guarantors whose personal data consisted of name, NRIC number, da… | Financial Penalty | 1026 | { "sum": 82000, "max": 82000 } |
1 | 744881dc66d0885a331e8f1152dede481f61376d | A financial penalty of $9,000 was imposed on Century Evergreen for failing to put in place reasonable security arrangements to protect the personal data of jobseekers in its possession or under its control. | [ "Protection", "Financial Penalty", "Employment", "URL manipulation" ] |
15 Sep 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_century_evergreen_260723.pdf | Protection | Breach of the Protection Obligation by Century Evergreen | https://www.pdpc.gov.sg/all-commissions-decisions/2023/09/breach-of-the-protection-obligation-by-century-evergreen | 2023-09-15 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 5 Case No. DP-2212-C0526 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Century Evergreen Private Limited SUMMARY OF THE DECISION 1. On 11 December 2022, the Personal Data Protection Commission (the “Commission”) received a complaint against Century Evergreen Private Limited (the “Organisation”) that images of identification documents (which includes the National Registration Identity Card) submitted by jobseekers to the Organisation were publicly accessible on the Organisation’s website (“Incident”). The Organisation is a manpower contracting services company and required jobseekers to submit their identification documents to verify the identity of and suitability of the jobseeker in question. 2. Following the complaint received, the Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”). The Organisation requested that the investigation be handled under the Commission’s Expedited Decision Procedure (“EDP”). This means that Page 1 of 5 the Organisation voluntarily provided and admitted to the facts set out in this decision. The Organisation also admitted that it failed to implement reasonable security arrangements to protect the personal data in its possession and control, and was in breach of section 24(a) of the PDPA. 3. The Organisation admitted that the Insecure Direct Object References (“IDOR”) vulnerability on its website, which allowed the complainant to manipulate the URL had existed from the time the website was launched on 9 November 2015. As a result of this vulnerability, 96,889 images of identification documents belonging to 23,940 individuals were downloaded from the Organisation’s website from 10 to 12 December 2022. 4. The Organisation admitted that it was in breach of section 24(a) of the PDPA as it failed to include any security requirements to protect personal data in its contract with the vendor who first de… | Financial Penalty | 1026 | { "sum": 9000, "max": 9000 } |
2 | 1de5ebc48b56070f669021dae389e599de142463 | A financial penalty of $3,000 was imposed on Autobahn Rent A Car for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control. Directions were also issued to strengthen access control measures to administrator accounts and to conduct reasonable security review of technical and administrative arrangements for the protection of personal data. | [ "Protection", "Financial Penalty", "Directions", "Others" ] |
15 Sep 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_autobahn-rent-a-car-pte-ltd_090623.pdf | Protection | Breach of the Protection Obligation by Autobahn Rent A Car | https://www.pdpc.gov.sg/all-commissions-decisions/2023/09/breach-of-the-protection-obligation-by-autobahn-rent-a-car | 2023-09-15 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 4 Case No. DP-2210-C0345 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Autobahn Rent A Car Pte. Ltd. SUMMARY OF THE DECISION 1 On 21 October 2022, Autobahn Rent A Car Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach (the “Incident”). 2 The Organisation operates a car-sharing service, Shariot, in Singapore. On 24 September 2022, the Organisation received customer feedback that a photograph on its mobile application had been replaced with a pornographic photograph. The Organisation discovered that the pornographic photograph had been uploaded through an unrevoked administrator account belonging to an ex-employee, who had Page 1 of 6 left the Organisation in May 2022. The ex-employee received an email from an unknown sender on 10 September 2022 stating that his personal laptop had been hacked and demanding Bitcoins as ransom payment. The threat actor was able to log into the Shariot’s mobile application administrator portal through the administrator account belonging to the ex-employee, and used the export CSV function to download a copy of the Shariot’s users personal data. 3 Subsequently, on 21 October 2022, a cybersecurity solutions provider alerted the Organisation of a cybercrime forum post offering the sale of a Shariot database containing personal data. The Commission commenced investigations to determine whether the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”) by the Organisation. 4 The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It admitted to a breach of the Protection Obligation under Section 24 of the PDPA. 5 The Organisation’s internal investigations discovered that compromise of the… | Financial Penalty, Directions | 1026 | { "sum": 3000, "max": 3000 } |
3 | 164701e6ac539f02a891698ef870888a3a54340a | A warning was administered to a registered salesperson of an estate agency for failing to (i) obtain clear and unambiguous consent; or (ii) check the Do Not Call Register before sending specified messages to individuals registered on the Do Not Call Register. | [ "Do Not Call Provisions", "Warning", "Real Estate" ] |
16 Aug 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_leon-wee_11072023-(004).pdf | Do Not Call Provisions | Breach of Duty to Check the Do Not Call Register by a Registered Salesperson | https://www.pdpc.gov.sg/all-commissions-decisions/2023/08/breach-of-duty-to-check-the-do-not-call-register-by-a-registered-salesperson | 2023-08-16 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 8 Case No. ENF-DNC-221129-0007 & Others In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Wee Jing Kai Leon … Person DECISION 1 Wee Jing Kai Leon Wong Huiwen Denise, Deputy Commissioner — Case No. ENF-DNC-221129-0007 & Others 11 July 2023 Introduction 1 The Do Not Call Registry (“DNC Registry”) is a national database kept and maintained by the Personal Data Protection Commission (the “Commission”) pursuant to section 39 of the Personal Data Protection Act 2012 (“PDPA”). Persons may register their Singapore telephone numbers with the DNC Registry so as to not receive unsolicited telemarketing calls and messages. The DNC Registry comprises of 3 separate registers (i) the No Text Message Register, (ii) the No Voice Call Register, and (iii) the No Fax Message Register. 2 Between November 2022 and March 2023, the Commission received ten (10) complaints that one Wee Jing Kai Leon (“Individual”) had sent unsolicited telemarketing messages to telephone numbers registered on the No Text Message Register of the DNC Registry (the “Complaints”). 2 3 The Commission commenced investigations to determine whether there had been any breaches of the “Do Not Call” provisions in Part 9 and 9A of the PDPA (“DNC Provisions”). Facts of the Case 4 The Individual is a real estate salesperson registered with Propnex Realty Pte Ltd since 2006. Over the years, the Individual collated a list of 2,918 Singapore telephone numbers (the “Marketing List”). 5 Of the 2,918 telephone numbers in the Marketing List, 1,224 were registered with the No Text Message Register of the DNC Registry on or around 31 March 2023. 6 The Individual did not send any marketing messages to the telephone numbers on his Marketing List before November 2022 and only admitted to sending a short messaging service message each month from November 2022 to March 2023 (the “SMS Messages”) to the telephone numbers on the Marketing List to offer, advert… | Warning | 1026 | { "sum": 0, "max": 0 } |
4 | 49923597330166df99689526d0c7ff419dc4239e | A financial penalty of $74,400 was imposed on Ecommerce Enablers for failing to put in place reasonable security arrangements to protect users' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade" ] |
16 Aug 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---ecommerce-enablers.pdf | Protection | Breach of the Protection Obligation by Ecommerce Enablers | https://www.pdpc.gov.sg/all-commissions-decisions/2023/08/breach-of-the-protection-obligation-by-ecommerce-enablers | 2023-08-16 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 6 Case No. DP-2009-B7056 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And E-Commerce Enablers Pte. Ltd. … Organisation DECISION Page 1 of 11 E-Commerce Enablers Pte. Ltd. Lew Chuen Hong, Commissioner — Case No. DP-2009-B7056 16 May 2023 Introduction 1 On 25 September 2020, E-Commerce Enablers Pte. Ltd. (“Organisation”) notified the Personal Data Protection Commission (“PDPC”) and its customers of an incident involving unauthorised access to its customer data servers (the “Incident”). PDPC subsequently received 2 complaints from the Organisation’s customers in relation to the Incident. On 12 November 2020, the Organisation's customer database was offered for sale on an online forum indicating that personal data was exfiltrated during the Incident. 2 PDPC commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) in relation to the Incident. Facts of the Case 3 The Organisation runs an online platform offering cashback for purchases made through affiliated merchant programs. The platform also provides coupons, voucher codes, and comparison features with discounts for users. 4 At the time of the Incident, the Organisation hosted its customer database on virtual servers in an Amazon Web Services (“AWS”) cloud environment (“Customer Page 2 of 11 Storage Servers”). The Organisation employed a 12-man Site Reliability Engineering (“SRE”) team whose responsibilities included maintaining the Organisation’s infrastructure, providing, and managing the Organisation’s cloud environment on AWS, and ensuring security of the AWS keys. The SRE team made use of an AWS access key with full administrative privileges (the “AWS Key”) for the purposes of its work, including infrastructure deployment. Only SRE team members had access to, and were authorised to use, the AWS Key. On 4 June 2019, the AWS Key was inadvertently committed to software code in a pr… | Financial Penalty | 1026 | { "sum": 74400, "max": 74400 } |
5 | 4c2c4d4c3970d9fe92280ecca85e9ffab961b7e2 | A financial penalty of $58,000 and $10,000 was imposed on Fullerton Healthcare and Agape CP Holdings respectively for failing to put in place reasonable security arrangements to protect personal data belonging to Fullerton Healthcare’s corporate clients and direct patients. Directions were also issued to both organisations to review and enhance processes relating to data handling processes, security audits and access controls to bolster their data protection arrangements. | [ "Protection", "Financial Penalty", "Directions", "Healthcare", "Public access" ] |
22 Jun 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_fullerton-healthcare-group-and-agape-cp-holdings_230323.pdf | Protection | Breach of the Protection Obligation by Fullerton Healthcare and Agape CP Holdings | https://www.pdpc.gov.sg/all-commissions-decisions/2023/06/breach-of-the-protection-obligation-by-fullerton-healthcare-and-agape-cp-holdings | 2023-06-22 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 5 Case Nos. DP-2110-B9054 / DP-2110-B9060 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Fullerton Healthcare Group Pte Limited (UEN No. 201020358N) (2) Agape CP Holdings Pte. Ltd. (UEN No. 201435153E) … Organisations DECISION 1 (1) Fullerton Healthcare Group Pte Limited (2) Agape CP Holdings Pte. Ltd. Lew Chuen Hong, Commissioner — Case Nos. DP-2110-B9054 / DP-2110-B9060 23 March 2023 Introduction 1 On 19 October 2021 and 21 October 2021, Fullerton Healthcare Group Pte Limited (“FHG”) and Agape CP Holdings Pte. Ltd. (“Agape”) respectively notified the Personal Data Protection Commission (the “Commission”) that the personal data of FHG’s customers had been accessed, exfiltrated, and offered for sale on the dark web (the “Incident”). The Commission commenced investigations to determine whether the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”) by FHG and Agape. 2 On 11 January 2022 and 12 January 2022 respectively, FHG and Agape requested for the investigations to be handled under the Commission’s Expedited Decision Procedure. In this regard, FHG and Agape voluntarily provided and admitted to the facts set out below and admitted that they had failed to implement reasonable 2 security arrangements to protect the personal data accessed and exfiltrated in the Incident in breach of section 24 of the PDPA (the “Protection Obligation”). Facts of the Case 3 FHG is an enterprise healthcare service provider which provides healthcare services to individuals and employees of its corporate clients. In 2018, FHG engaged Agape, a business process outsourcing provider and social enterprise, to provide call centre and appointment booking services for its customers (the “Services”). As part of its social enterprise initiatives, Agape engaged inmates from Changi Women’s Prison (the “Agents”) to assist in provision of the Services for FHG’s customers. 4 In order to c… | Financial Penalty, Directions | 1026 | { "sum": 68000, "max": 58000 } |
6 | 4f684cc6bda16b38b1d8b076e965b1291cb38daa | Directions were issued to Kingsforce Management Services to ensure the implementation of regular patching, updates and upgrades for all software and firmware supporting its website(s) and application through which personal data in its possession may be accessed. | [ "Protection", "Directions", "Employment", "Protection", "Patching" ] |
11 May 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_kingsforcemanagementservicespteltd_100323.pdf | Protection | Breach of the Protection Obligation by Kingsforce Management Services | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-kingsforce-management-services | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS1 Case No. DP-2202-B9480 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Kingsforce Management Services Pte Ltd SUMMARY OF THE DECISION 1. On 31 January 2022, the Personal Data Protection Commission (the “Commission”) was notified by Kingsforce Management Services Pte Ltd (the “Organisation”) of the sale on RaidForums, on or about 27 December 2021, of data from its jobseeker database (the “Incident”). 2. The affected database held approximately 54,900 jobseeker datasets, comprising name, address, email address, telephone number, date of birth, job qualifications, last and expected salary, highest qualification and other data related to job searches. 3. External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident. 4. The Commission accepted the Organisation’s request for handling under the Commission’s expedited breach decision procedure. The Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision, and to breach of section 24 of the Personal Data Protection Act (“the PDPA”). 5. The Organisation admitted work had not been completed on the website at launch owing to contractual disputes with the developer. The Organisation subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues from bugs, glitches and/or when a page failed to load. 6. In breach of the Protection Obligation, the Organisation failed to provide sufficient clarity and specifications to its vendors on how to protect its database and personal data. In Re Civil Service Club, the Commission had pointed out that organisations that engage IT vendors can provide clarity and emphasize the need for personal data protection to their IT vendors by a) making it part of their contractual terms, and b) revi… | Directions | 1026 | { "sum": 0, "max": 0 } |
7 | 0522fd596b126290db25c071ce3a958ab509ac43 | A financial penalty of $8,000 was imposed on Fortytwo for failing to put in place reasonable security arrangements to protect the personal data in its possession. Fortytwo was also issued directions to complete the upgrading of its website to a supported software version, including vulnerability assessment and penetration testing. | [ "Protection", "Financial Penalty", "Directions", "Wholesale and Retail Trade", "Patching" ] |
11 May 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_fortytwo070323.pdf | Protection | Breach of the Protection Obligation by Fortytwo | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-fortytwo | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023 SGPDPCS 3] Case No. DP-2112-B9354 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Fortytwo Pte. Ltd. SUMMARY OF THE DECISION 1. On 24 December 2021, Fortytwo Pte. Ltd. (the “Organisation”), an online furniture store, notified the Personal Data Protection Commission (the “Commission”) of malicious code injections on its website which led to the capturing of the email address and password of 6,241 individuals when they logged in to its website (the “Incident”). The name, credit card number, expiry date and CVV/CVN number of another 98 individuals’ were also affected. 2. The Organisation requested for the matter to be handled under the Commission’s expedited breach decision procedure. This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision; and admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 1 3. An issue that arose in this case is whether fictitious names or pseudonymous personal particulars form part of the personal data under the possession or control of the Organisation. The importance of this lies in how it may potentially reduce the size of the dataset that was at risk. In their addendum to the Written Statement, the Organisation stated that it does not verify the names provided by the users, and suggested that the impact of the Incident might be more limited as some of the users’ names may be incomplete, fictitious or pseudonymous. 4. Section 2(1) of the PDPA defines “personal data” to be data, whether true or not (emphasis added), about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. The PDPA caters for the situation where not every record of personal data that is under the possession or control of an Organisation is verified. It takes a practical approach, as the accuracy of persona… | Financial Penalty, Directions | 1026 | { "sum": 8000, "max": 8000 } |
8 | 8106c634b6b0203cec610bf06c6ad26a61753305 | Directions were issued to The Law Society of Singapore to conduct a security audit of its technical and administrative arrangements for accounts with administrative privileges that can access directly and/or create access to personal data, and to rectify any gaps identified. This is pursuant to a data breach incident where The Law Society’s servers were subjected to a ransomware attack. | [ "Protection", "Directions", "Professional", "Scientific and Technical", "Ransomware", "Patching", "Security", "Password" ] |
11 May 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_lawsocietyofsingapore_140323.pdf | Protection | Breach of the Protection Obligation by The Law Society of Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-the-law-society-of-singapore | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 4 Case No. DP-2102-B7850 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Law Society of Singapore … Organisation DECISION 1 The Law Society of Singapore Yeong Zee Kin, Deputy Commissioner — Case No. DP-2102-B7850 14 March 2023 Introduction 1 On 4 February 2021, the Law Society of Singapore (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack on its servers which had encrypted and denied the Organisation access to the personal data of its members and former members (the “Incident”). The Commission commenced investigations to determine whether the circumstances behind the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a body corporate established under the Legal Profession Act 1966 and represents members of the legal profession in Singapore. Every advocate and solicitor called to the Singapore bar is a statutory member of the Organisation as long as they have a practising certificate in force. At the material time, the Organisation stored the personal data of its current and former members (“Members”) in one of its servers for the purposes of carrying out its statutory functions. 2 3 The Organisation had implemented an off-the-shelf secure VPN solution, FortiOS, to manage remote access to its servers (the “VPN System”). The Organisation also engaged a vendor (the “Vendor”) to provide IT support services, including maintenance of the VPN System. For completeness, the Vendor was not the Organisation’s data intermediary as it did not access or process the personal data of the Members in the course of carrying out its IT support services. 4 The Organisation also implemented antivirus / malware detection software at the servers, and password complexity requirements for its users’ accounts. In particular, account passwords had a maximum lifes… | Directions | 1026 | { "sum": 0, "max": 0 } |
9 | 594bd70285f34f0a56588580f7770c61a497b635 | A financial penalty of $37,000 was imposed on OrangeTee & Tie for failing to put in place reasonable security arrangements to protect users' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Real Estate" ] |
17 Apr 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_orangetee_210223.pdf | Protection | Breach of the Protection Obligation by OrangeTee & Tie | https://www.pdpc.gov.sg/all-commissions-decisions/2023/04/breach-of-the-protection-obligation-by-orangetee-and-tie | 2023-04-17 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 3 Case No. DP-2108-B8712 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And OrangeTee & Tie Pte Ltd … Organisation DECISION OrangeTee & Tie Pte Ltd Lew Chuen Hong, Commissioner — Case No. DP-2108-B8712 21 February 2023 Introduction 1 On 4 August 2021, the Personal Data Protection Commission (“Commission”) contacted OrangeTee & Tie Pte Ltd (“Organisation”) after receiving information indicating that a threat actor had managed to exfiltrate databases in the Organisation’s possession, which were believed to contain personal data. 2 Subsequently, on 6 August 2021, the Organisation notified the Commission of an incident involving unauthorised access to its IT network (the “Incident”). The Organisation also gave a media statement on the same day informing members of the public about the Incident and inviting any concerned customers to contact the Organisation’s call centre for clarification. 3 The Commission then commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) in relation to the Incident. Facts of the Case 4 The Organisation is a real estate enterprise based in Singapore and has been in operation since 2000. 5 Four servers maintained by the Organisation were involved in the Incident, namely: the Production Web Server, the Production Database Server, the Development Web Server, and the Development Database Server. The Production Web Server and the Development Web Server (collectively the “Web Servers”) were internet-facing, in that they were directly accessible from the internet. The Production Web Server was linked to the Production Database Server, while the Development Web Server was linked to the Development Database Server. 6 The personal data of employees and customers of the Organisation was stored on the Production Database Server and the Development Database Server (collectively the “Database Servers”). The p… | Financial Penalty | 1026 | { "sum": 37000, "max": 37000 } |
10 | 401890cd7e54bef35f97e9ef1d6f54f0b14c97f1 | A warning was issued to an individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, thereby breaching section 48B of the PDPA. | [ "Do Not Call Provisions", "Warning", "Others", "Telemarketing" ] |
17 Apr 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_taishinfatt_140223.pdf | Do Not Call Provisions | Breach of Section 48B of the PDPA (Prohibition on Use of Dictionary Attacks) by an individual | https://www.pdpc.gov.sg/all-commissions-decisions/2023/04/breach-of-section-48b-of-the-pdpa-prohibition-on-use-of-dictionary-attacks-by-an-individual | 2023-04-17 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 2 Case No. ENF-DNC-210826-0015 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tai Shin Fatt … Individual DECISION Tai Shin Fatt Lee Ti-Ting, Assistant Commissioner - Case No. ENF-DNC-210826-0015 14 February 2023 Introduction 1 On 2 July 2021, the Personal Data Protection Commission (“the Commission”) was notified by the Singapore Police Force that the Singapore Civil Defence Force (“SCDF”) had received an influx of marketing calls between 25 and 28 June 2021 from telephone numbers registered to one LongSheng Consultancy Pte Ltd (“LongSheng”) on behalf of one Tai Shin Fatt (the “Individual”). The Commission commenced investigations to determine whether the circumstances relating to the calls disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Individual is an insurance director with a large and well-known insurance company managing a team of 25 insurance agents. In an effort to conduct marketing calls more efficiently, the Individual sought to engage the services of 2 companies hereinafter referred to as the “Call Automation Vendor” and the “Checker”. 3 The Call Automation Vendor provides software to facilitate the making of automated calls using customised scripts. The Checker’s service comprises the provision of telephone numbers (from which automated calls could be made), and the provision of software to check whether the telephone numbers of intended recipients were registered with the Do Not Call Registry (“DNCR”). The systems / software of the Call Automation Vendor and the Checker were intended to work in tandem as follows: (a) the telephone numbers of intended recipients would be uploaded onto the Call Automation Vendor’s software; (b) the Checker’s software would check the DNCR for such telephone numbers; and (c) the Call Automation Vendor’s software would then avoid making any calls to the telephone numbers which appeared in the DNCR… | Warning | 1026 | { "sum": 0, "max": 0 } |
11 | 5ea63d13d601eae0d2d7844085d0af7b0bd96e19 | Sembcorp Marine was found not in breach of the PDPA in relation to an incident whereby threat actor(s) exfiltrated personal data by exploiting a zero-day vulnerability present in an application. | [ "Protection", "Not in Breach", "Others", "Ransomware", "No breach" ] |
10 Mar 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_sembcorp-marine-ltd_070223.pdf | Protection | No breach of the PDPA by Sembcorp Marine | https://www.pdpc.gov.sg/all-commissions-decisions/2023/03/no-breach-of-the-pdpa-by-sembcorp-marine | 2023-03-10 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 2 Case No. DP-2206-B9934 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Sembcorp Marine Ltd SUMMARY OF THE DECISION 1. On 25 July 2022, Sembcorp Marine Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach that had occurred through the exploitation of the Log4J zero-day vulnerability (the “Incident”). 2. As a result of the Incident, the personal data of 25,925 individuals was exfiltrated. The personal data affected included their name, address, email address, NRIC number, telephone number, passport number, photograph, date of birth, bank account details, salary, and medical screening results. 1 3. The Organisation engaged an external cybersecurity company, Sygnia, to investigate the Incident. Its investigations found that the threat actor had exploited three Log4J vulnerabilities present in an application (the “Application”) to gain unauthorised access to a server as early as on 4 January 2022. The threat actor also deployed the “Cobalt Strike” beacon, conducted reconnaissance, and made lateral movements across several machines, before exfiltrating data between 10 and 23 June 2022, and deploying a ransomware on 28 June 2022. 4. Threat intelligence research revealed that the ransomware campaign which affected the Organisation began targeting users of the Application in January 2022. Given that reports of the Log4J vulnerability were first made in December 2021, it would have been difficult for the Organisation to detect and prevent the infiltration when it was one of the early targets, having been infiltrated as early as 4 January 2022. 5. After finding out about the Log4J vulnerability, the Organisation took prompt actions to identify instances of Log4J vulnerabilities across all the software application it was using. The Organisation started identifying instances of Log4J vulnerabilities across its systems on 14 December 2021. It appli… | Not in Breach | 1026 | { "sum": 0, "max": 0 } |
12 | 6077929908ce785c3568536cfbca3778aee53987 | A financial penalty of $62,400 was imposed on Eatigo International for failing to put in place reasonable security arrangements to protect users' personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Accommodation and F&B" ] |
10 Mar 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_eatigo-international-pte-ltd_211222.pdf | Protection | Breach of the Protection Obligation by Eatigo International | https://www.pdpc.gov.sg/all-commissions-decisions/2023/03/breach-of-the-protection-obligation-by-eatigo-international | 2023-03-10 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 9 Case No. DP-2010-B7267 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Eatigo International Pte. Ltd. … Organisation DECISION Page 1 of 22 Eatigo International Pte. Ltd. Lew Chuen Hong, Commissioner — Case No. DP-2010-B7267 21 December 2022 Introduction 1. For an organisation to effectively safeguard the personal data in its possession or control, it must first know what its personal data assets are. The surest way to ensure such visibility is to maintain a comprehensive personal data asset inventory. This case is, amongst other things, a cautionary tale of the consequences of not maintaining a proper personal data asset inventory. 2. On 29 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by a third party about a possible data leak by Eatigo International Pte. Ltd. (the “Organisation”). A cache of personal data that was suspected to be from the Organisation’s database was being offered for sale on an online forum (the “Incident”). Facts of the Case 3. The Organisation provides an online restaurant reservation platform which offers incentives such as discounts to its users. In its daily operations, it regularly collects and processes the personal data of its users in order to facilitate restaurant reservations and the provision of incentives. 4. After the Commission was notified of the Incident, it informed the Organisation on 30 October 2020 of an online forum purportedly selling the personal data from various ecommerce websites, including a database containing personal data that were suspected to have been obtained from the Organisation. Separately, the Organisation was also notified of the Incident Page 2 of 22 on the same day by a user and a Channel News Asia journalist. The Organisation proceeded to carry out investigations. 5. The Organisation’s investigations revealed that the personal data for sale on the online forum did not match any curren… | Financial Penalty | 1026 | { "sum": 62400, "max": 62400 } |
13 | 4e0e470f4317bc93c6ef527ca6f4dccd148ba6f5 | Directions were issued to CPR Vision Management Pte Ltd to conduct a security audit of its technical and administrative arrangements for the protection of personal data in its possession or control and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where CPR Vision Management Pte Ltd’s server and network storage devices were subjected to a ransomware attack. | [ "Protection", "Directions", "Others", "Ransomware", "Data Intermediary", "Retention" ] |
10 Feb 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---cpr-vision-management-pte-ltd---071222.pdf | Protection | Breach of the Protection Obligation by CPR Vision Management Pte Ltd | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-protection-obligation-by-cpr-vision-management-pte-ltd | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 17 Case No. DP-2207-B8974 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CPR Vision Management Pte Ltd L’Oreal Singapore Pte Ltd L’Occitane Singapore SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received data breach notification reports from (i) L’Oreal Singapore Pte Ltd (“L’Oreal”) on 29 October 2021 and (ii) L’Occitane Singapore Pte Ltd (“L’Occitane”) on 1 November 2021 respectively of a ransomware attack on their customer relationship management (“CRM”) system vendor, CPR Vision Management Pte Ltd (the “Organisation”). The Organisation is a data intermediary that helped to process personal data collected by L’Oreal and L’Occitane. 2. The ransomware attack affected a server and three network attached storage (“NAS”) devices in the Organisation’s office (“office network”), and led to the Page 1 of 6 encryption of the personal data belonging to 83,640 L’Occitane’s customers and 35,079 L’Oreal’s customers, which included their name, address, email address, mobile number, NRIC number, date of birth, age, gender, race, nationality, loyalty points and amount spent. 3. The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It also admitted to a breach of the Protection Obligation under Section 24 and the Retention Limitation Obligation under Section 25 of the Personal Data Protection Act (the “PDPA”). 4. The Organisation’s internal investigations found the threat actor had first gained access to the office network via a compromised user account VPN connection on 13 October 2021 before executing the ransomware attack on or about 15 October 2021. However, due to the limited data logs available on the Organisation’s FortiGate firewall and VPN appliance, the Organisation was not able to determi… | Directions | 1026 | { "sum": 0, "max": 0 } |
14 | e08a6cf6b7938892a8733cdb635797bd2a2bac27 | RedMart had failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents. However, the Commission had subsequently assessed that RedMart had met the requirements for reliance on the Legitimate Interests Exception and complied with the proposed direction. As such, no direction was issued to RedMart. | [ "Consent", "Notification", "Purpose Limitation", "No Further Action", "Wholesale and Retail Trade" ] |
10 Feb 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---redmart-limited---18012023.pdf | Consent, Notification, Purpose Limitation | Breach of the Consent, Notification and Purpose Limitation Obligations by RedMart | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-consent,-notification-and-purpose-limitation-obligations-by-redmart | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2105-B8405 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And RedMart Limited … Organisation DECISION Page 1 of 11 RedMart Limited [2023] SGPDPC 1 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2105-B8405 18 January 2023 Introduction 1 On 31 May 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that RedMart Limited (the “Organisation”) was collecting images of the physical NRICs and other identification documents of suppliers making deliveries to its warehouses (the “Incident”), and that this practice did not appear to be in compliance with the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 Investigations revealed that the Organisation operated two warehouses at 47 Jalan Buroh, CWT Distripark, Singapore 619491 (“Warehouses”) which were used to store goods and produce sold by the Organisation. The Warehouses were regularly visited by suppliers delivering goods and produce (“Visitors”), and the Organisation implemented measures to regulate such Visitors’ access to the Warehouses. Security checkpoints at the Warehouses used an Organisation-issued tablet computer Page 2 of 11 (“Tablet”) to take photographs of Visitors’ NRIC or other identification documents (“ID Photographs”). The Organisation said it collected ID Photographs to Visitors seeking access to areas where food safety risks had to be managed. The Organisation explained that these measures are intended to deter acts that could compromise food safety and facilitate investigations of food safety incidents. 3 Prior to the Incident, there were no notices at the Warehouses’ security checkpoints informing Visitors of the purpose for collection of ID Photographs. After being notified by the Commission of the Incident, the Organisation put up notices at the Warehouses’ security checkpoints to inform Visitors of the purpose of collection of ID Photographs. Findings and Basis for Determination … | No further action | 1026 | { "sum": 0, "max": 0 } |
15 | e610db14a26defd39186316793d1161e4828f627 | Directions were issued to Thomson Medical to conduct scan of the web to ensure no publication of affected personal data online and to include in the review of its application deployment process, measures such as the arrangements for security testing and the implementation of data retention policy. This is pursuant to a data breach incident from an unsecured Health Declaration Portal which enabled public access to visitors' personal data. | [ "Protection", "Directions", "Healthcare" ] |
19 Dec 2022 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---thomson-medical-pte-ltd---140922.pdf | Protection | Breach of the Protection Obligation by Thomson Medical | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-protection-obligation-by-thomson-medical | 2022-12-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 15 Case No. DP-2010-B7246 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Thomson Medical Pte. Ltd. SUMMARY OF THE DECISION 1. On 26 October 2020, the Personal Data Protection Commission (the “Commission”) was notified that the Thomson Medical Pte. Ltd. (the “Organisation”) Health Declaration Portal was not secure, enabling public access to the personal data of visitors (the “Incident”) stored in a CSV (comma separated values) file. 2. Visitor data collected on the Organisation’s Health Declaration Portal had been stored concurrently in a publicly-accessible CSV file as well as a secured 1 database from 16 April 2020, when the health declaration portal was first used by the Organisation to 8 September 2020, when the storage of the visitor data was changed to only the secured database instead of the CSV file. The CSV file was hosted on the Organisation’s web server. 3. The Organisation admitted that, contrary to the instructions given to the employee to switch the data storage from the CSV file to secured database exclusively, and the organisation’s protocols, its in-house developer had omitted to remove a software code, causing the visitor data to be stored in the CSV file and the same in-house developer had omitted to change the default web server configuration, thereby allowing public access to the hosted CSV file. The switch to storage in a secured database would have ensured access controls by requiring user login ID and secure password protection, as well as encryption of data transfers using SSL certificates. The access controls would ensure that only authorized users would be able to access the data. 4. The Commission’s investigations revealed that the affected CSV file contained the personal data of 44,679 of the Organisation’s visitors, including the date and time of visit, temperature, type of visitor (purpose of visit), name of visitor, name of newborn, contact number, NRIC/FIN/passport num… | Directions | 1026 | { "sum": 0, "max": 0 } |
16 | cc1d8042558bb8bf9a04fb40db4bac6dd68fa918 | A financial penalty of $72,000 was imposed on RedMart for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade" ] |
19 Dec 2022 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---redmart-limited---28102022.pdf | Protection | Breach of the Protection Obligation by RedMart | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-protection-obligation-by-redmart | 2022-12-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7266 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And RedMart Limited … Organisation DECISION RedMart Limited [2022] SGPDPC 8 Lew Chuen Hong, Commissioner — Case No. DP-2010-B7266 28 October 2022 Introduction 1 Many organisations rely on web-based application programming interfaces (“API”) to enable computers or computer programs to communicate and facilitate the sharing of data between them. API keys are in turn used to authenticate users seeking to access APIs. If an organisation fails to implement reasonable security measures to safeguard the security of their API keys, this may allow threat actors unauthorised access to large troves of data stored within multiple interconnected environments. 2 On 29 October 2020, the Personal Data Protection Commission (“the Commission”) was notified that a database containing personal data of the customers of RedMart Limited (the “Organisation”) was being offered for sale on an online forum (the “Incident”). Subsequently, the Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 The Organisation operated an online platform selling groceries and fresh produce to consumers. In 2016, the Organisation was acquired by Lazada Group (“Lazada”). Thereafter, 2 the Organisation began to integrate its platform with Lazada’s online platform. The customerfacing website and mobile application ceased operations on 15 March 2019. However, on the back end, the migration and integration of the Organisation’s system into Lazada’s system was not completed by that time. It is worth setting out in some detail the Organisation’s information technology architecture to understand the backdrop against which the Incident occurred. 4 From March 2012 until its acquisition by Lazada, the Organisation’s business applicati… | Financial Penalty | 1026 | { "sum": 72000, "max": 72000 } |
17 | 662eb188414e97c7216aa86b2281ccf205e554f1 | Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database. | [ "Transfer Limitation", "Directions", "Others", "Data Intermediary" ] |
18 Nov 2022 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_supernova-pte-ltd_06102022.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova | 2022-11-18 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included th… | Directions | 1026 | { "sum": 0, "max": 0 } |
18 | c08d0fc027cecea4d643050732575fc9882dae38 | A financial penalty of $58,000 was imposed on Farrer Park Hospital for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control. | [ "Protection", "Financial Penalty", "Healthcare" ] |
18 Nov 2022 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_farrer-park-hospital-pte-ltd_15092022.pdf | Protection | Breach of the Protection Obligation by Farrer Park Hospital | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-protection-obligation-by-farrer-park-hospital | 2022-11-18 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 6 Case No. DP-2007-B6646 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Farrer Park Hospital Pte Ltd … Organisation DECISION Farrer Park Hospital Pte Ltd Farrer Park Hospital Pte Ltd Lew Chuen Hong, Commissioner — Case No. DP-2007-B6646 15 September 2022 Introduction 1 On 23 July 2020, the Personal Data Protection Commission (the “Commission”) received a data breach notification from Farrer Park Hospital Pte Ltd (the “Organisation”). The Organisation discovered that between 8 March 2018 and 25 October 2019, 9,271 emails had been automatically forwarded from two employees’ (the “Employees”) Microsoft Office 365 work email accounts (the “Email Accounts”) to a third-party’s email address (the “Third Party”), thereby disclosing the personal data of 3,539 unique individuals (the “Incident”). Background 2 The Organisation is a private tertiary healthcare institute that provides a range of healthcare services. The nature of the Organisation’s operations requires its employees to regularly handle highly sensitive personal data of past, present, and prospective patients. At the material time, the Employees were part of the Organisation’s marketing department which, inter alia, processes requests for the Organisation’s medical services via email. The email requests received by the Organisation’s marketing department contain personal data pertinent to the medical treatment(s) requested by individuals including: (a) Name; (b) Gender; 1 Farrer Park Hospital Pte Ltd (c) Nationality; (d) Date of Birth; (e) NRIC Number (full and partial); (f) Passport details (including Passport numbers); (g) Contact number; (h) Photograph; and (i) Medical information, including the following (the “Medical Information”): (i) Medical Condition(s) – namely, patient’s health condition(s), including doctor’s diagnosis, brief description of the health condition provided by the patient or an appointment with a special… | Financial Penalty | 1026 | { "sum": 58000, "max": 58000 } |
19 | 786f98709969cc28a271155c0bb1ad2099147fe2 | QCP Capital was found not in breach of the PDPA in relation to an incident whereby threat actor(s) exfiltrated personal data via unauthorised access to an employee's account. | [ "Protection", "Not in Breach", "Finance and Insurance" ] |
25 Oct 2022 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---qcp-capital-pte-ltd---16092022-(002).pdf | Protection | No Breach of the Protection Obligation by QCP Capital | https://www.pdpc.gov.sg/all-commissions-decisions/2022/10/no-breach-of-the-protection-obligation-by-qcp-capital | 2022-10-25 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 16 Case No. DP-2108-B8816 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And QCP Capital Pte Ltd SUMMARY OF THE DECISION 1. On 30 August 2021, QCP Capital Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach that had occurred through an unauthorised access to employee accounts and exfiltration of customer personal data (the “Incident”). 2. As a result of the Incident, the personal data of 675 individuals was exfiltrated. The personal data affected includes name, NRIC number, date of birth, address, passport scan, passport number, photograph, email address, phone number, Telegram and WeChat ID, whitelisted address and trading records (which included the account balances, buy/sell/settlement activities). Page 1 of 3 3. The Organisation engaged an external cybersecurity company, Blackpanda Pte Ltd, to investigate the Incident. Its investigations found that the threat actor(s) had accessed two accounts, belonging to one employee, to gain unauthorised access to the Organisation systems and subsequently exfiltrated of personal data. 4. Investigations revealed that the Organisation had provided and made reasonable security arrangements to protect personal data in its possession and/or control in relation to the Incident. The Organisation also had an internal monitoring system in place which allowed the Organisation to detect, escalate the anomalous transaction, flag and suspend the trading account affected. 5. Following the Incident, the Organisation took prompt and extensive remedial action to mitigate the effects of the Incident and enhance the overall robustness of its security measures. This included notifying the affected individuals, layering access controls and introducing mandatory hardware key access authentication. 6. In view of the above, the Deputy Commissioner for Personal Data Protection is satisfied that the Organisation was … | Not in Breach | 1026 | { "sum": 0, "max": 0 } |
20 | 840cb375cc55d93403f4973e8e5f349d8014d941 | A financial penalty of $26,000 was imposed on Cognita Asia Holdings for failing to put in place reasonable security arrangements to protect the personal data in its possession from a ransomware attack. | [ "Protection", "Financial Penalty", "Education", "Ransomware", "Schools" ] |
25 Oct 2022 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision---cognita-asia-holdings-pte-ltd---09062022.pdf | Protection | Breach of the Protection Obligation by Cognita Asia Holdings | https://www.pdpc.gov.sg/all-commissions-decisions/2022/10/breach-of-the-protection-obligation-by-cognita-asia-holdings | 2022-10-25 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 14 Case No. DP-2106-B8484 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Cognita Asia Holdings Pte Ltd SUMMARY OF THE DECISION 1. On 16 June 2021, Cognita Asia Holdings Pte Ltd (the "Organisation") notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack on 13 June 2021. The ransomware incident (the "Incident") affected the servers of three schools run by the Organisation. 2. The ransomware encrypted the personal data of 1,260 individuals, of which 1,195 are students. The personal data included copies of identification/passport page, salaries of the affected employees and the bank account details necessary for the crediting of salaries. Page 1 of 5 3. The Organisation’s internal investigations found that the threat actor gained initial entry to one of the school's network in April 2021 through a VPN session. The VPN logs showed no brute-force entry attempts, suggesting the use of compromised administrator account credentials. Investigations disclosed that between 8 and 12 June 2021, the threat actor gained broad network access and deployed the encrypting ransomware. 4. The Organisation requested that this matter proceed via the Expedited Decision Breach Procedure, which the Commission acceded to. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It also admitted to a breach of section 24 of the Personal Data Protection Act (the "PDPA"), also referred to as the Protection Obligation. 5. At the time of the Incident, even though the Organisation employed VPN, the Organisation’s existing configuration of VPN required merely a username and password for authentication. However, the personal data collected and processed by the Organisation included copies of the photographic identification documents of students as well as salary and bank account information of employees. In view of the nature of personal data that it … | Financial Penalty | 1026 | { "sum": 26000, "max": 26000 } |
21 | ddb4e74ebdcdad5f6723ce170e67189349a37938 | A financial penalty of $60,000 was imposed on MyRepublic for failing to put in place reasonable security arrangements to protect the personal data in its possession. | [ "Protection", "Financial Penalty", "Information and Communications" ] |
15 Sep 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MyRepublic-Ltd---05082022.pdf | Protection | Breach of the Protection Obligation by MyRepublic | https://www.pdpc.gov.sg/all-commissions-decisions/2022/09/breach-of-the-protection-obligation-by-myrepublic | 2022-09-15 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 5 Case No. DP-2108-B8814 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And MyRepublic Limited … Organisation DECISION Page 1 of 11 MyRepublic Limited Lew Chuen Hong, Commissioner — Case No. DP-2108-B8814 5 August 2022 Introduction 1 On 29 August 2021, the Personal Data Protection Commission (“the Commission”) received information that MyRepublic Limited (“the Organisation”) had been the subject of a cyber incident. On 1 September 2021, the Organisation informed the Commission that a threat actor had exfiltrated and deleted customers’ personal data from its IT systems (the “Incident”). 2 The Organisation requested for the investigation to be handled under the Commission’s Expedited Breach Decision procedure. In this regard, the Organisation voluntarily provided and admitted to the facts set out below, and admitted that it had failed to implement reasonable security arrangements to protect the personal data accessed and exfiltrated in the Incident in breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 The Organisation is incorporated in Singapore, and is a telecommunications operator that holds a Facilities-Based Operations licence (“FBO Licence”) under Section 5 of the Telecommunications Act 1999. 4 At the time of the Incident, the Organisation accepted customer orders for mobile services through its Mobile Order Portal (“Portal”). The Organisation’s customers who applied for mobile services would submit their customer identity verification and number portability documents (the “KYC documents”) through the Portal, and the Portal would store the KYC documents in a bucket (the “Bucket”) on cloud-storage procured from Amazon Web Services (“AWS”). Page 2 of 11 5 While the Bucket was publicly accessible, its access was restricted through the use of an access key (the “Access Key”) in the Amazon Identity and Access Management feature. The Access Key could only b… | Financial Penalty | 1018 | { "sum": 60000, "max": 60000 } |
22 | 8caa57e041a25e1bc9ec97157ba7cc28530e5dfa | Directions were issued to Budgetcars to put in place appropriate contractual provisions, conduct a security audit of its technical and administrative arrangements for the security and maintenance of its website and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where personal data could be accessed by changing a few digits of the tracking ID. | [ "Protection", "Directions", "Transport and Storage" ] |
11 Aug 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Budgetcars-Pte-Ltd---06072022.pdf | Protection | Breach of the Protection Obligation by Budgetcars | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-budgetcars | 2022-08-11 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 13 Case No. DP-2108-B8798 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Budgetcars Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that the delivery tracking function (the “Tracking Function Page”) on the website of Budgetcars Pte Ltd (the “Organisation”) could be used to gain access to the personal data belonging to another individual. By changing a few digits of a Tracking ID, the complainant could access the personal data of another individual (the “Incident”). 2. The Organisation is a logistics company delivering parcels to customers (“Customers”) on behalf of retailers (“Retailers”). 3. The personal data of 44,357 individuals had been at risk of unauthorised access. The datasets comprised name, address, contact number and photographs of their signatures. 4. The Tracking Function Page was set up in December 2020 to allow Retailers and Customers to (i) keep track of the delivery status of their parcels; and (ii) confirm the identity of individuals to collect parcels on their behalf (where applicable). The Tracking IDs were generated by Retailers and comprised either sequential or nonsequential numbers. Although generated by Retailers, the Organisation adopted the Tracking IDs for use on its own Tracking Function Page that allowed their customers to track their deliveries, which would disclose personal data listed above. The Protection Obligation therefore required the Organisation to ensure that there were reasonable access controls in its use of the Tracking IDs for giving access to an individual’s personal data. 5. The risk of unauthorised access to personal data from altering numerical references, both sequential and non-sequential, have featured in the published decisions of the Commission in Re Fu Kwee Kitchen Catering Services [2016] SGPDPC 14, and more recently, in Re Ninja Logistics Pte. Ltd. [2019] SGPDPC… | Directions | 1018 | { "sum": 0, "max": 0 } |
23 | 33338cd3f9f27be64f6c4942d067dd2671c4dba3 | Directions were issued to Crawfort to conduct a security audit of its technical and administrative arrangements for its AWS S3 environment and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where Crawfort's customer database were offered for sale in the dark web. | [ "Protection", "Directions", "Finance and Insurance" ] |
14 Jul 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Crawfort-Pte-Ltd---070622.pdf | Protection | Breach of the Protection Obligation by Crawfort | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-crawfort | 2022-07-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2106-B8446 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Crawfort Pte. Ltd. SUMMARY OF THE DECISION 1. On 9 June 2021, Crawfort Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of the sale of the Organisation’s customer data on the dark web (the “Incident”). 2. The personal data of 5,421 customers were affected. The datasets affected comprised NRIC images (front and back), PDF copies of loan contract (containing all the information in the NRIC, age, email address, contact number and loan amount) and PDF copies of income document (payslip, CPF statements or IRAS Notice of Assessment). 1 3. The Organisation engaged external cyber security teams to investigate the Incident. The investigation identified an opened S3 server port in the Organisation’s AWS environment as the cause of the Incident. 4. The Organisation explained that it had opened the S3 server port for one week during a data migration exercise sometime on or about 15 April 2020 for business continuity purposes. On 3 April 2020, the Singapore government had announced that the country will enter into a Circuit Breaker to contain the spread of COVID-19. All non-essential workplaces, including the Organisation, had to be closed from 7 April 2020. In order to continue its business, the Organisation had to pivot its operations so as to allow its staff to work from home and its customers to make loan applications remotely. Within a very short period, the Organisation had to carry out the data migration exercise and as a result, overlooked conducting a risk assessment prior to conducting the data migration exercise. 5. The opened S3 server port connected directly to the S3 server hosting the S3 buckets, which contained the affected personal data. The open remote port enabled attempts to connect to the Organisation’s AWS environment from the internet. Furthermore, the S3 bucket containing the affected p… | Directions | 1018 | { "sum": 0, "max": 0 } |
24 | c615d8266f2078cb7841df5753d519a4fa566a38 | A financial penalty of $10,000 was imposed on Audio House for failing to put in place reasonable security arrangements to protect the personal data in its possession from a ransomware attack. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade", "Ransomware" ] |
14 Jul 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Audio-House-Marketing-Pte-Ltd---27052022.pdf | Protection | Breach of the Protection Obligation by Audio House | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-audio-house | 2022-07-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2106-B8421 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Audio House Marketing Pte Ltd SUMMARY OF THE DECISION 1. On 1 June 2021, Audio House Marketing Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware affecting its customer database (the “Incident”). Approximately 98,000 individuals’ names, addresses, email addresses and telephone numbers, in the nature of contact information, were affected. 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out in 1 this decision; and admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 3. The Organisation’s internal investigations revealed that PHP files used to develop a web application on the Organisation’s website contained vulnerabilities that allowed the threat actor to carry out a SQL injection attack. The Organisation admitted that it is possible that the vulnerabilities in the PHP files had existed since April 2017, when its website was first launched. Further, even though the Organisation had conducted pre-launch tests prior to the launch of its website, the Organisation admitted that it failed to identify and detect the existing vulnerabilities in the PHP files. 4. SQL injection attacks are well-known vulnerabilities: see “Top Ten” list of the Open Web Application Security Project (OWASP). The Commission has consistently advised organisations to take the necessary precautions to guard against the risk of injection attacks (see para. 15.3 of the Commission’s Guide to Securing Personal Data in Electronic Medium, published on 8 May 2015, and revised on 20 January 2017). We note that apart from conducting functionality testing of features such as the shopping cart and payment on i… | Financial Penalty | 1018 | { "sum": 10000, "max": 10000 } |
25 | 8b7eca743bdcf4110f6477c86ed9c732a820639b | A financial penalty of $12,000 was imposed on Terra Systems for failing to put in place reasonable security arrangements to protect the personal data of individuals in its customer relationship management portal in Re Terra Systems Pte Ltd [2021] SGPDPC 7. An application for reconsideration was filed against the decision in Re Terra Systems Pte Ltd [2021] SGPCPC 7. Upon review and careful consideration of the application, the Commissioner had decided to affirm the finding of the breach of section 24 of the PDPA as set out in the decision and the financial penalty in the Reconsideration Decision. | [ "Protection", "Financial Penalty", "Information and Communications" ] |
14 Jul 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Terra-Systems-Pte-Ltd----06082021.pdf | Protection | Breach of the Protection Obligation by Terra Systems | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-terra-systems | 2022-07-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 7 Case No DP-2007-B6670 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Terra Systems Pte. Ltd. … Organisation DECISION Terra Systems Pte. Ltd. [2021] SGPDPC 7 Lew Chuen Hong, Commissioner — Case No. DP-2007-B6670 6 August 2021 Introduction 1 On 14 July 2020 and 21 July 2020, a customer relationship management portal (“the Portal”) owned and operated by Terra Systems Pte Ltd (the “Organisation”) containing the personal data of persons served with “Stay-Home Notices” 1 (“SHNs”) was accessed and modified without the Organisation’s authorisation (the “Incident”). 2 On 27 July 2020, the Singapore Police Force notified the Personal Data Protection Commission (“Commission”) of the Incident, and the Commission commenced its own investigations thereafter. Background 3 The Organisation is in the business of providing communication solutions and services, including call centre services, to businesses in Singapore and the region. On 17 June 2020, the Organisation was awarded a government contract to provide call centre services to help verify the whereabouts of persons serving SHNs (“the Call Centre”). 4 To facilitate the operations of the Call Centre, the Immigration and Checkpoints Authority (“ICA”) provided the Organisation with a daily spreadsheet containing the personal data of persons serving SHNs, including their: (a) Name (b) Last 4 digits of NRIC; 1 Legal notices issued under the Infectious Diseases Act (Cap 137) requiring a person to remain at their place of residence or at a Stay-Home Notice Dedicated Facility at all times for a stipulated period 1 (c) Gender; (d) Contact Number; (e) Last Day of SHN; (f) Address where SHN was served; and (g) COVID-19 Test Appointment dates (collectively, the “SHN Data”) 5 The Organisation created the Portal for the purposes of its internal administration of the Call Centre. On account of the movement restrictions in force at the time owing to th… | Financial Penalty | 1020 | { "sum": 24000, "max": 12000 } |
26 | 2b5fed2cbf6f7d8b33476b8f654e973032e28530 | A financial penalty of $67,000 was imposed on Quoine for failing to put in place reasonable security arrangements to protect the personal data in its possession. | [ "Protection", "Financial Penalty", "Finance and Insurance" ] |
14 Jul 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Quoine-Pte-Ltd---08022022.pdf | Protection | Breach of the Protection Obligation by Quoine | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-quoine | 2022-07-14 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 2 Case No. DP-2011-B7409 / DP-2011-B7421 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Quoine Pte Ltd … Organisation DECISION Quoine Pte Ltd [2022] SGPDPC 2 Lew Chuen Hong, Commissioner — Case Nos. DP-2011-B7409 / DP-2011-B7421 8 February 2022 Introduction 1 On 17 November 2020, Quoine Pte Ltd (“the Organisation”) informed the Personal Data Protection Commission (“the Commission”) that its domain manager had transferred control of its domain hosting account to an external actor, who accessed and exfiltrated the personal data of 652,564 of its customers (“the Incident”). The Commission subsequently received a complaint from an individual believed to have been affected in the Incident. 2 The Organisation requested for the investigation to be handled under the Commission’s Expedited Breach Decision procedure. In this regard, the Organisation voluntarily provided and admitted to the facts set out below, and admitted that it had failed to implement reasonable security arrangements to protect the personal data accessed and exfiltrated in the Incident in breach of Section 24 of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 The Organisation is a company incorporated and based in Singapore, and a subsidiary of Liquid Group Inc., which is incorporated in Japan. The Organisation operates a global cryptocurrency exchange under the “Liquid” brand, and has customers around the world. 4 At the time of the Incident, the Organisation’s back-end IT infrastructure included the following: (a) Its vendor-procured cloud computing platform (“Cloud Platform”) which it used to run its cryptocurrency exchange platform, and which hosted its cloud computing database; and (b) Its additional cloud computing storage procured from another vendor, which it used to store documents such as Know-Your-Client (“KYC”) documents. 5 The Organisation also engaged a third party domain name registrar (“the D… | Financial Penalty | 1020 | { "sum": 67000, "max": 67000 } |
27 | 672a96ffc42396385fe2b29bd1d18686e4b35275 | Both organisations were found not in breach of the PDPA in relation to complaints regarding alleged collection and disclosure of personal data without consent. | [ "Consent", "Not in Breach", "Real Estate", "No breach" ] |
16 Jun 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SLP-Scotia-Pte-Ltd-and-SLP-International-Property-Consultants-Pte-Ltd---09042022.pdf | Consent | No Breach of the Consent Obligation by SLP Scotia and SLP International Property Consultants | https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/no-breach-of-the-consent-obligation-by-slp-scotia-and-slp-international-property-consultants | 2022-06-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6585, DP-2007-B6591, DP-2007-B6594, DP-2007-B6598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLP Scotia Pte. Ltd. SLP International Property Consultants Pte. Ltd. SUMMARY OF THE DECISION 1. Between 10 to 14 July 2020, the Personal Data Protection Commission (the “Commission”) received four complaints against SLP International Property Consultants Pte Ltd (“SLPIPC”) and its subsidiary SLP Scotia Pte Ltd (“SLPS”) (collectively, the “Organisations”). The complainants were property agents registered through SLPS (the “Complainants”). 2. As a merger was due to take place between the Organisations, on 7 July 2020, SLPIPC initiated the registration of salespersons in SLPS as salespersons in SLPIPC with the Council of Estate Agencies (“CEA”). CEA thereafter emailed the Complainants asking them to either initiate a salesperson application to join SLPIPC or disregard the email if they were not interested in registering with SLPIPC (the “Incident”). 1 3. The Complainants alleged that: a. they had not consented to be contacted for such purposes; and b. SLPS had improperly disclosed their personal data (including NRIC number, date of birth, and home address) to SLPIPC, and SLPIPC had in turn improperly disclosed the data to CEA. 4. CEA is the entity which administers the registration of salespersons (such as the Complainants) under the Estate Agents Act 2010 (“EAA”). Pursuant to section 29(1) of the EAA, a person may not act as a salesperson for any estate agent unless he or she is registered; the said register is maintained by the CEA pursuant to section 36 of the EAA. Further, under section 40(1) of the EAA, a salesperson may not be registered to act as a salesperson for more than one estate agent at any one time. 5. SLPIPC disclosed the personal data of the Complainants to CEA for the purposes of the change in registration from SLPS to SLPIPC. In doing so, SLPIPC was complying with its obligations under the… | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
28 | da6d8226998222d9ecd94b71c060b10d1c027425 | Aman was found not in breach of the PDPA in relation to an incident involving unauthorised access to its servers and exfiltration of personal data. Aman had employed reasonable security arrangement and technical measures to protect its data. | [ "Protection", "Not in Breach", "Accommodation and F&B" ] |
16 Jun 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Aman-Group-Sarl-and-or-Amanresort-International-Pte-Ltd--28022022.pdf | Protection | No Breach of the Protection Obligation by Aman Group S.a.r.l and Amanresort International | https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/no-breach-of-the-protection-obligation-by-aman-group | 2022-06-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2012-B7506 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Aman Group S.a.r.l and/or Amanresort International Pte Ltd SUMMARY OF THE DECISION 1. On 5 December 2020, the Personal Data Protection Commission (the “Commission”) received a notification from SingCERT of a personal data breach involving Aman Group S.a.r.l (“Aman Group”) and/or Amanresort International Pte Ltd (“Aman SG”). 9 systems in London and 2 systems in Singapore were compromised and files containing personal data exfiltrated (the “Incident”). Page 1 of 4 2. As a result of the Incident, personal data of approximately 2,500 individuals which included their name, date of birth, address, email address, phone number and profession were affected. 3. The Aman Group engaged an external cybersecurity company, Ankura Consulting, to investigate the Incident. Its investigations found that the threat actor(s) had gained unauthorised access into 11 systems, which included 9 servers based in London and 2 servers based in Singapore. 4. While the investigations did not uncover any evidence of what the initial method and point of entry were, the most likely scenario is that the threat actor had initially entered via the London based systems. This is because the suspicious activities were first detected in the London systems. Thereafter, the threat actor subsequently gained access to the 2 Singapore based servers by creating administrator account credentials. There was no evidence that the firewalls in the Singapore based servers were breached. 5. Investigations could not conclusively exclude the possibility that data may have been exfiltrated from one of the Singapore based servers. However, analysis conducted by the Aman Group on four extracts obtained from the threat actor(s) failed to establish any conclusive links between the extracts and the current database in the affected Singapore based server. 6. Investigations further revealed that any exfiltrat… | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
29 | 66868e4f3be47f083e17850acba65d9b54dfaaee | Ngian Wen Hao Dennis, Chua Puay Hwa Melissa and Winarto were found in breach of the PDPA and issued warnings in relation to two incidents involving the unauthorised collection and disclosure of individuals’ personal data in 2019 and 2020. | [ "Consent", "Notification", "Warning", "Finance and Insurance" ] |
16 Jun 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Dennis-Ngian--Others---08032022.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by three insurance financial advisers | https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/breach-of-the-consent-and-notification-obligations-by-three-insurance-financial-advisers | 2022-06-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2109-B8857 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Ngian Wen Hao Dennis (2) Chan Puay Hwa Melissa (3) Winarto (4) Aviva Financial Advisers Pte Ltd SUMMARY OF THE DECISION 1. On 7 September 2021, the Personal Data Protection Commission (the “Commission”) was notified of two incidents involving unauthorised disclosure and collection of personal data by three individuals. 2. Ngian Wen Hao Dennis (“Dennis”) was an Aviva Financial Advisers Pte Ltd (“AFA”) representative between December 2017 and February 2019. In March 2019 and August 2020, Dennis approached two insurance financial advisers, Chua Puay Hwa Melissa (“Melissa”) and Winarto, to offer them a list of client leads, stating that he was leaving the insurance industry and looking for a reliable agent 1 to take over his clientele. Melissa and Winarto each said they paid $1,000 to Dennis for the list (the “Incidents”). 3. The list contained approximately 1,000 clients’ names, mailing addresses, contact numbers and the names of organisations underwriting the hospitalisation plans bought by the clients (“Personal Data Sets”). 4. The PDPA defines “organisations” to include individuals. As held in Re Sharon Assya Qadriyah Tang1, individuals who collect, use or disclose personal data otherwise than in a personal or domestic capacity will be treated as organisations within the meaning of the Act, and are obliged to comply with the Data Protection Provisions. In this case, we are of the view that it is clear that Dennis, Melissa and Winarto can be regarded as an “organisation” as defined under the PDPA for a number of reasons. First, the trio had bought and sold the client leads for work and business purposes, with the aim of generating an income or profit, and cannot be said to have been acting in a personal or domestic capacity. 5. Second, Dennis, Melissa and Winarto were not employees. In Re Ang Rui Song2, the Commission found that the respondent, … | Warning | 1020 | { "sum": 0, "max": 0 } |
30 | 9f6c7da9d327e5a10c452ec1e53652f74d388da1 | A financial penalty of $22,000 was imposed on Vhive for failing to put in place reasonable security arrangements to protect the personal data in its possession from a ransomware attack. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade", "Ransomware" ] |
16 Jun 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Vhive-Pte-Ltd---08032022.pdf | Protection | Breach of the Protection Obligation by Vhive | https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/breach-of-the-protection-obligation-by-vhive | 2022-06-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2013-B8138 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Vhive Pte Ltd SUMMARY OF THE DECISION 1. On 26 March 2021, Vhive Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack that affected its customer database (the “Incident”). Approximately 186,281 individuals’ names, addresses, email addresses, telephone numbers, hashed passwords and customer IDs were affected. 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision, and admitted that it was in breach of section 24(a) of the Personal Data Protection Act (the “PDPA”). 3. The Organisation’s forensic investigation results revealed that the Organisation’s IT infrastructure had been outdated, with multiple vulnerabilities at the time of the Incident. The Organisation’s e-commerce server ran on an outdated webserver service. This, together with an unpatched firewall, allowed the threat actor to 1 remotely execute unauthorised code on the e-commerce server, and gained backdoor access to the e-commerce server to carry out the ransomware attack. 4. The Organisation had engaged an IT vendor to host, manage and maintain the e-commerce server and all its other IT systems. However, our investigations revealed that despite the purported “engagement”, there was in fact no written contract between the Organisation and its IT vendor at the time of the Incident. 5. In Re Spize Concepts Pte Ltd [2019] SGPDPC 22 at [22], we had stated that section 4(2) of the PDPA imposes on organisations that engage data intermediaries to do so “pursuant to a contract which is evidenced or made in writing”. In that case, we also highlighted that one specific category of policies and practices under section 12(a) of the PDPA … | Financial Penalty | 1020 | { "sum": 22000, "max": 22000 } |
31 | bf80dcb560a14e6eea5a07e7f6aaa820bf5f1bea | Warnings were issued to Toll Logistics (Asia), Toll Global Forwarding, Toll Offshore Petroleum Services, and Toll (TZ) for breaches of the PDPA in relation to the transfer of employees’ personal data to a human resources software vendor in Ireland. | [ "Transfer Limitation", "Warning", "Transport and Storage" ] |
19 May 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Toll-Logistics-Asia-Limited-and-others--180322.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Toll Logistics (Asia) and others | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-transfer-limitation-obligation-by-toll-logistics-and-others | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 4 Case No. DP-2008-B6707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Toll Logistics (Asia) Limited (2) Toll Global Forwarding (Singapore) Pte. Limited (3) Toll Offshore Petroleum Services Pte. Ltd. (4) Toll (TZ) Pte. Ltd. … Organisations DECISION Toll Logistics (Asia) Limited and others [2022] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2008-B6707 14 March 2022 Introduction 1 Toll Holdings Limited (“Toll Holdings”) is an integrated logistics services provider headquartered in Australia. Toll Logistics (Asia) Limited (“Toll Logistics”), Toll Global Forwarding Singapore Pte. Ltd. (“Toll Forwarding”), Toll Offshore Petroleum Services Pte. Ltd. (“Toll Offshore"), and Toll (TZ) Pte. Ltd. (“Toll TZ”) are Singapore-registered entities (collectively, “the Organisations”) that are part of a multinational group of companies headed by Toll Holdings (“the Group”). 2 On 11 June 2020, Toll Holdings notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the Group’s IT systems, including servers in Australia and Singapore containing the personal data of current and former employees of the Organisations (“the Incident”). The Commission subsequently received complaints from 3 former employees of Toll Logistics in relation to the Incident. Investigations were commenced to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 In July 2013, Toll Holdings contracted with a vendor in Ireland (“the HR Vendor”) for the Group’s use of the HR Vendor’s human resources software platform (“the HR Platform”). To facilitate use of the common HR Platform, the respective Group entities (including the Organisations) uploaded the personal data of their employees to the HR Platform. The data uploaded to the HR Platform was hosted by the HR… | Warning | 1020 | { "sum": 0, "max": 0 } |
32 | 2a753e3933db125c17c6634b6923716f951bfaba | A financial penalty of $2,000 was imposed on Southaven Boutique for failing to put in place reasonable security arrangement to prevent the unauthorised access of its customers' personal data in its Point-Of-Sale system server. An application for reconsideration was filed against the Decision Re Southaven Boutique Pte Ltd. Upon review and careful consideration of the application, direction in the Decision was varied and the financial penalty imposed was reduced. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade", "Ransomware" ] |
19 May 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Southaven-Boutique-Pte-Ltd---280222.pdf | Protection | Breach of Protection Obligation by Southaven Boutique | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-protection-obligation-by-southaven-boutique | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7854 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Southaven Boutique Pte Ltd 1 Editorial note: An application for reconsideration was filed against the decision in Re Southaven Boutique Ptd Ltd. Pursuant to this application, the Deputy Commissioner has decided to reduce the financial penalty imposed on the Organisation from $5,000 to $2,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. SUMMARY OF THE DECISION 1. On 5 February 2021, Southaven Boutique Pte Ltd (the “Organisation”), a brickand-mortar retailer of clothes and accessories, informed the Personal Data Protection Commission (the “Commission”) of a ransomware attack that occurred on or about 4 February 2021 (the “Incident”). A threat actor had gained access to the Organisation’s Point-Of-Sale (the “POS”) system server and encrypted the personal data of 4,709 customers. The personal data affected include names, addresses, email addresses, contact numbers and date of birth. 2. Investigations revealed that the Organisation did not implement adequate administrative and technical security arrangements. First, the Organisation failed to conduct or schedule any software updates, maintenance and/or security review before the Incident. Past decisions by the Commission had stressed the need for such security arrangements. The Organisation’s operating system and anti-virus software, for example, were outdated and updated only after the Incident. 3. Second, the Organisation had failed to set out any data protection requirements or responsibilities with the POS vendor whom the Organisation had engaged to supply and install the POS, and relied on for system service issue. This meant that the Organisation did not in fact engage the POS vendor to provide the necessary maintenance support. As the Organisation continued to seek the POS vendor’s assistance for any system… | Financial Penalty | 1020 | { "sum": 5000, "max": 5000 } |
33 | 58257503a1d923543f0f020776b2656a802d6bb8 | A financial penalty of $12,500 was imposed on PINC for failing to put in place reasonable security arrangements to protect the personal data in its possession. Directions were also issued to PINC to develop and implement internal data protection policies and practices to comply with the PDPA and to ensure no copies of database were stored on employees' personal computers. | [ "Accountability", "Protection", "Financial Penalty", "Directions", "Wholesale and Retail Trade", "No Policy" ] |
19 May 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---PINC-Interactive-Pte-Ltd---04022022.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by PINC Interactive | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-accountability-and-protection-obligations-by-pinc-interactive | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 1 Case No. DP-2002-B5827 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PINC Interactive Pte. Ltd. … Organisation DECISION Page 1 of 9 PINC Interactive Pte. Ltd. [2022] SGPDPC 1 Lew Chuen Hong, Commissioner — Case No. DP-2002-B5827 4 February 2022 Introduction 1 On 2 February 2020, the Personal Data Protection Commission (“the Commission”) received feedback about a Twitter post dated 31 January 2020 which revealed that the personal data of users of www.pincstyle.com had been exposed. The tweet included a snapshot of the data (“the Incident”). The Commission commenced investigations into the Incident thereafter. Facts of the Case 2 The website www.pincstyle.com was created and managed by PINC Interactive Pte. Ltd. (“the Organisation”) at the material time. Investigations revealed that sometime in October 2019, a database comprising 252,813 records was accessed and exfiltrated from the Organisation’s staging servers (the “Staging Database”). The Staging Database is a synthetic database containing personal data of 3,916 actual users, while the remaining 248,897 records were fake or “dummy” data modelled after the real data. The synthetic database was used to facilitate development and testing on the staging servers. The personal data from the 3,916 actual users that were exposed in the Incident included the name, username, email address, contact number (for some users) and a password hash. For completeness, the 3,916 user records in the Staging Database is equivalent to 1.6% of the Organisation’s total database of 252,813 user records. Page 2 of 9 3 Investigations revealed two likely causes of the Incident. First, the developers, who are the Organisation’s employees, had retained a copy of the Staging Database on their own personal devices, and the database was exfiltrated when the developers’ computers were compromised. The Organisation stated that while they had instructed the developers to use … | Financial Penalty, Directions | 1020 | { "sum": 12500, "max": 12500 } |
34 | 888139fae1bc74d4bc2dc9f8c48fd515822c40e6 | A financial penalty of $24,000 was imposed on Lovebonito for failing to put in place reasonable security to protect personal data in its possession. The incident resulted in the personal data being accessed and exfiltrated. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade", "Password policy" ] |
19 May 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Lovebonito-Singapore-Pte-Ltd--21022022.pdf | Protection | Breach of the Protection Obligation by Lovebonito | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-protection-obligation-by-lovebonito | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 3 Case No. DP-1912-B5484 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Lovebonito Singapore Pte. Ltd. … Organisation DECISION Lovebonito Singapore Pte. Ltd. [2022] SGPDPC 3 Lew Chuen Hong, Commissioner — Case No. DP-1912-B5484 21 February 2022 Introduction 1 On 12 December 2019, Lovebonito Singapore Pte. Ltd (the “Organisation”) informed the Personal Data Protection Commission (“Commission”) that one of its IT systems had been hacked, and that the personal data of 5,561 of its customers had been accessed and exfiltrated by a malicious actor (the “Incident”). The Commission subsequently received two separate complaints from individuals affected in the Incident. Facts of the Case 2 The Organisation operates an e-commerce platform (the “Website”) retailing clothing and accessories. At the material time, the Organisation employed, amongst others, two third-party solutions to manage the Website. First, the Organisation employed Magento Cloud, a cloud-based service, to host and run the Website. Magento Cloud includes the Magento Content Management System (“Magento CMS”), an open-source e-commerce management software, which the Organisation used to change and update the Website. Second, the Organisation used a payment platform offered by Adyen N.V. (“Adyen”) to facilitate credit card payments on the Website. When a customer indicated that they intended to pay for their purchases via credit card, Adyen’s platform would load directly from their servers as a frame within the “checkout” page of the Website (the “Checkout Page”). 3 Customers would then input the below details into Adyen’s frame, and Adyen would directly collect these details and process the credit card payment: (a) Full credit card number; (b) Expiry date of the credit card; 2 (c) The CVV number of the credit card; and (d) Customer’s billing address (collectively, the “Credit Card Data”) 4 Once Adyen has processed the credit card p… | Financial Penalty | 1020 | { "sum": 24000, "max": 24000 } |
35 | 34ecb3992fd178d97e8672c767568a4a743f4e64 | Royal Caribbean Cruises (Asia) was found not in breach of the PDPA in relation to a coding error in a business software which resulted in emails containing personal data being sent to unintended recipients. | [ "Protection", "Not in Breach", "Arts, Entertainment and Recreation", "Software", "Unintended recipient" ] |
19 May 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Royal-Caribbean-Cruises-Asia-Pte-Ltd--130819.pdf | Protection | No Breach of the Protection Obligation by Royal Caribbean Cruises (Asia) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/no-breach-of-the-protection-obligation-by-royal-caribbean-cruises | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1804-B1931 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Royal Caribbean Cruises (Asia) Pte. Ltd. SUMMARY OF THE DECISION 1. On 5 April 2018, the Personal Data Protection Commission (“Commission”) commenced investigation against Royal Caribbean Cruises (Asia) Pte Ltd (the “Organisation”) after receiving a complaint from a member of the public (the “Complaint”). The complainant stated that she had received the personal data of unrelated individuals in an email payment reminder sent by the Organisation. 2. Investigations revealed that, from 8 February 2018 to 4 April 2018, the personal data of 526 individuals were inadvertently disclosed to other unrelated members of the public via unintended email payment reminders (the “Data Breach Incident”). The personal data disclosed included booking IDs, ship codes, sailing dates, names, net amounts due, amounts paid, balance due and the balance due date (the “Affected Personal Data”). 3. The Organisation is part of the Royal Caribbean Group, and is the wholly owned subsidiary and data intermediary of the USA-based Royal Caribbean Cruises Ltd 1 (Liberia) (“RCL”). It is responsible for the following business functions on behalf of RCL: (a) Conducting sales and marketing activities on behalf of the cruise ship operators of the Royal Caribbean Group, including RCL; (b) Taking cruise bookings from Singapore-based customers of RCL; (c) Administering a loyalty membership programme on behalf of RCL; and (d) Collecting payments from Singapore-based customers of RCL who made their bookings via walk-in, roadshows and online bookings at the Royal Caribbean Group’s Singapore website. 4. RCL’s branch office in the Philippines (“RCL Philippines”) provides IT support to entities within the Royal Caribbean Group, and does not have a separate legal identity from RCL. On 1 January 2017, the Organisation entered into an operative intercompany agreement with RCL Philippines for the provis… | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
36 | 33f29d75b8f2b8dd16f458a3b01ea9ae02df0c0a | Singtel was found not in breach of the PDPA in relation to an incident which occurred on or about 20 January 2021 whereby threat actor(s) exfiltrated personal data by exploiting zero-day vulnerabilities of a third party file transfer appliance. | [ "Protection", "Not in Breach", "Information and Communications" ] |
19 May 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunication-Limited---101221.pdf | Protection | No Breach of the Protection Obligation by Singapore Telecommunications (Singtel) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/no-breach-of-the-protection-obligation-by-singapore-telecommunications | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7878 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunication Limited SUMMARY OF THE DECISION 1. On 10 February 2021, Singapore Telecommunication Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach that had occurred through the exploitation of zero-day vulnerabilities in a File Transfer Appliance (“FTA”) provided by a third party system (the “Incident”). 2. As a result of the Incident, 9,921 files containing personal data were exfiltrated. The personal data of 163,370 individuals which included their name, NRIC number, FIN, UIN, nationality, date of birth, address, email address, mobile number, photograph, staff, company pass or ID, bank account number, credit Page 1 of 3 card information (with expiry date), billing information, and vehicle number were affected. 3. The Organisation engaged an external cybersecurity company, FireEye Mandiant, to investigate the Incident. Its investigations found that the threat actors had exploited two (2) zero-day vulnerabilities of the FTA to gain unauthorised access to the FTA’s MySQL database and subsequent file downloading. 4. Investigations revealed that the Organisation had a license to use the FTA with the FTA developer, Accellion Pte Ltd (“Accellion”). Accellion was the only party that had access to the proprietary source code to the FTA system. Accordingly, the discovery and rectification of the zero-day vulnerabilities within the FTA system fell within the sole responsibility and control of the developer. We are of the view that the Organisation could not have detected or prevented the incident as it had no control or visibility of the zero-day vulnerability of the FTA. 5. The Organisation had provided and made reasonable security arrangements to protect personal data in its possession and/or control in relation to the Incident. The Organisation maintained th… | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
37 | 3f8e32fc2a641e3b8cff4f4113078f1d64033232 | Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA. | [ "Accountability", "Directions", "Construction", "No DPO" ] |
21 Apr 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf | Accountability | Breach of Accountability Obligation by ACL Construction (S) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction | 2022-04-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ACL Construction (S) Pte Ltd SUMMARY OF THE DECISION 1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”) was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a company that provides pre-fabricated structures, structural steel products and construction services, was being offered for sale on the darkweb by one “Prometheus” (the “Incident”). 2. Investigations revealed that a few days ago, three ACL staff - a designer and two sales executives had experienced difficulties when they tried to log in to access their files. Thereafter, the ACL staff discovered that the files had been encrypted. The Organisation then sought external IT support. 3. The Organisation informed the Commission that the affected files contained the following data related to their projects: (i) Quotation folder – quotations (to clients and from suppliers), delivery orders, invoices and other supporting documents; (ii) Common folder – project document and photographs; and Page 1 of 3 (iii) Drawing folder – CAD drawings. 4. Our investigations revealed that the affected files contained the names of the Organisation’s customers, the relevant liaison person, their business contact number(s) and/or business email(s). As the names, business contact numbers and business emails were not provided by the individuals concerned for a personal purpose, they would constitute “business contact information” as defined under the Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have suffered a data breach, no personal data was in fact affected. 5. This finding alone would have brought the matter to a close. However, in the course of our investigations, the Commission found out that the Organisation had failed to designate one or more individuals,… | Directions | 1020 | { "sum": 0, "max": 0 } |
38 | 91c562e8b5d6fa15fe215b2a1a5e8d95fc80348b | A financial penalty of $35,000 was imposed on GeniusU for failing to put in place reasonable security arrangements to prevent the unauthorised access and exfiltration of individuals' personal data stored in its staging database. | [ "Protection", "Financial Penalty", "Education" ] |
21 Apr 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---GeniusU-Pte-Ltd--180122.pdf | Protection | Breach of the Protection Obligation by GeniusU | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-protection-obligation-by-geniusu | 2022-04-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2101-B7725 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And GeniusU Pte. Ltd. SUMMARY OF THE DECISION 1. On 12 January 2021, GeniusU Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of unauthorized access and exfiltration of a staging application database (the “Database”) holding personal data (the “Incident”). 2. The personal data of approximately 1.26 million users were affected. The datasets affected comprised first and last name, email address, location and last sign-in IP address. 3. The Organisation’s internal investigations revealed that the likely cause of the Incident was compromise of one of its developer’s password, either because the developer used a weak password for his GitHub account or the password for his GitHub account had been compromised. This allowed the threat actor to enter 1 the Organisation’s GitHub environment. As the Organisation had stored the login credentials to the Database in the codebase in its GitHub environment, the threat actor was able to gain access to and exfiltrate personal data stored in the Database. 4. The Organisation took the following remedial measures after the Incident: a. Rotated the credentials of the Database; b. Removed all hard-coded credentials from the codebase; c. Purged all existing website sessions; d. Removed all personal data from non-production environment servers, e. Implemented multi-factor authentication on all work-related accounts; f. Implemented a standardised cyber security policy and related procedures for all staff; and g. 5. Notified users and the GDPR data authority (Ireland) of the Incident. The Commission accepted the Organisation’s request for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation had voluntarily provided and unequivocally admitted 2 to the facts set out in this decision. The Organisat… | Financial Penalty | 1020 | { "sum": 35000, "max": 35000 } |
39 | 34b0a0cb61c9a6878b1064ce6de838176f7359f9 | A financial penalty of $20,000 was imposed on Trinity Christian Centre for failing to put in place reasonable security arrangements to prevent the unauthorised access of individuals' personal data hosted in its database servers. | [ "Protection", "Financial Penalty", "Arts, Entertainment and Recreation", "Ransomware", "Remote Desktop Protocol" ] |
21 Apr 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Trinity-Christian-Centre-Limited---03022022.pdf | Protection | Breach of the Protection Obligation by Trinity Christian Centre | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-protection-obligation-by-trinity-christian-centre | 2022-04-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Trinity Christian Centre Limited SUMMARY OF THE DECISION 1. On 11 March 2021, Trinity Christian Centre Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that its database servers containing personal data were infected with ransomware on or around 17 February 2021 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 1 The Incident 3. The Organisation runs Trinity Christian Church in Singapore. 4. At the time of the Incident, the database servers contained 72,285 individuals’ data. The types of data affected for each individual varied, and included at times an individual’s name, full identification number, residential address, contact number, email address, photograph, date of birth, age, marital status, education level, and/or description of medical condition (if applicable). 5. Investigations by the Organisation revealed that the Organisation maintained an open and publicly exposed remote desktop protocol port. This allowed a threat actor with access to compromised administrator account credentials to enter the Organisation’s network and database servers to execute ransomware attack on 17 February 2021, rendering the databases inaccessible. 6. The Organisation managed to restore the affected databases from its back-up copies. Based on the Organisation’s investigations, there was no evidence to suggest that the threat actor exfiltrated the Organisation’s databases. The Organisation’s Admission 7. The Organisation admitted that it had breached the Protection Obligation under section 24 o… | Financial Penalty | 1020 | { "sum": 20000, "max": 20000 } |
40 | fbd1ea4716cc1ec845cae07466e7ad1dc9a75e60 | A financial penalty of $21,000 was imposed on Neo Yong Xiang for using his customers' personal data to register for prepaid SIM cards without their consent. The SIM cards were subsequently sold to anonymous individual(s) who used them to send specified messages in contravention of the Do Not Call provisions of the PDPA. | [ "Consent", "Financial Penalty", "Others" ] |
10 Mar 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Neo-Yong-Xiang---29102021.pdf | Consent | Breach of the Consent and Purpose Limitation Obligations by Neo Yong Xiang trading as Yoshi Mobile | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-consent-and-purpose-limitation-obligations-by-neo-yong-xiang-trading-as-yoshi-mobile | 2022-03-10 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 12 Case No. DP-2013-B8088 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Neo Yong Xiang (trading as Yoshi Mobile) … Organisation DECISION Neo Yong Xiang (trading as Yoshi Mobile) Lew Chuen Hong, Commissioner — Case No. DP-2013-B8088 29 October 2021 Introduction 1. When customers purchased pre-paid SIM cards from a mobile phone shop at Geylang Road, they would not have anticipated that their personal data would be misused to register additional SIM cards for illegal sale. Unfortunately, this was exactly what happened to at least 78 individuals who purchased pre-paid M1 SIM cards from one Mr Neo Yong Xiang (“NYX”) the sole proprietor of Yoshi Mobile (“YM”). 2. The Commission observed that between January 2020 and November 2020, there were 3,636 Do Not Call (“DNC”) complaints from persons who received specified messages even though their telephone numbers are registered with the DNC register1. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at YM. The Commission initiated investigations against NYX (trading as YM) for suspected breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3. NYX has operated YM since 2013. As an exclusive retailer of M1 SIM cards, NYX was provided a terminal device installed at YM’s premises for the purposes of 1 Under Section 43 of the PDPA, a person is not allowed to send specified messages to a Singapore telephone number registered with the DNC register unless the person has, at the time where he sends the specified message, valid confirmation that the Singapore telephone number is not listed in the DNC register. SIM card registration (the “M1 Terminal Device”). SIM card registration had to be carried out in accordance with the conditions of M1’s telecommunications licence granted under Section 5 of the Telecommunications Act (Chapter 323). The typical SIM card registration process in YM would be a… | Financial Penalty | 1020 | { "sum": 56000, "max": 35000 } |
41 | 7472c1fb33715cd896936107281368b2da535b74 | A financial penalty of $4,000 was imposed on Tanah Merah Country Club for failing to put in place reasonable security to protect personal data in its possession. The incident resulted in personal data being accessed. | [ "Protection", "Financial Penalty", "Arts, Entertainment and Recreation", "Email", "Password policy" ] |
18 Feb 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tanah-Merah-Country-Club---20122021.pdf | Protection | Breach of the Protection Obligation by Tanah Merah Country Club | https://www.pdpc.gov.sg/all-commissions-decisions/2022/02/breach-of-the-protection-by-tanah-merah-country-club | 2022-02-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7951 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tanah Merah Country Club SUMMARY OF THE DECISION 1. On 24 February 2021, Tanah Merah Country Club (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that an employee’s (the “Employee”) email account had been compromised and 600 phishing emails had been sent to various individuals on 22 February 2021 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation voluntarily and unequivocally admitted to the facts set out within this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 3. The Organisation’s investigations revealed that it was likely that the Organisation’s email accounts had been subjected to password spraying attacks. Password spraying is a type of password attack where a threat actor uses a few commonly used or default passwords against many different accounts. In contrast to traditional brute-force attacks, where the targeted account may quickly get lockedout due to account-lockout policies that only allow for a limited number of failed attempts, password spraying attacks allow a threat actor to mount an attack against many accounts with a single commonly used password, while remaining undetected, before attempting the second password. At the time of the Incident, the Employee was using the password “TMCC@1234”, which the Employee had not changed for a period of nearly 5 years, since 2016 to the time of the Incident on 22 February 2021. 4. After gaining access to the Employee’s email account, the threat actor accessed the personal data of 467 individuals, including: a. The email addresses of 155 club members and 284 members of public, which the threat actor had used to send phishing emails to. b. The name, and/or NRIC … | Financial Penalty | 1020 | { "sum": 4000, "max": 4000 } |
42 | 3965bc8ee415855183079832fd3886ef26c00f4d | A financial penalty of $10,000 was imposed on North London Collegiate School (Singapore) for failing to put in place reasonable security arrangements to prevent the unauthorised access of its student applicants’ personal data residing in a website directory folder. | [ "Protection", "Financial Penalty", "Education" ] |
18 Feb 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NLCS---01122021.pdf | Protection | Breach of the Protection Obligation by North London Collegiate School (Singapore) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/02/breach-of-the-protection-obligation-by-north-london-collegiate-school | 2022-02-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8562 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And North London Collegiate School (Singapore) Pte. Ltd. SUMMARY OF THE DECISION 1. On 2 July 2021, North London Collegiate School (Singapore) Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a parent of a student was able to view and access a student report by the Organisation by performing searches using internet search engines. (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 3. Investigations revealed that, from December 2019 to July 2021, parents of prospective students could submit documents for admission applications via the Organisation’s website (https://nlcssingapore.sg/). All submitted documents were stored in a directory/ folder of the website. However, the website directory/ 1 folder was not adequately secured from automatic indexing by web crawlers. As a result, the submitted documents were indexed by search engines and could show up in online search results. 4. The table below summarises1 the number of affected individuals for each type of document accessible in the directory/ folder (the “Compromised Documents”): S/N 5. Type of Document Number (Scanned or Electronic Copies) Affected 1 Passport 1,742 2 Identity cards (i.e NRICs) 1,714 3 Digital Photographs of applicants 720 4 Birth Certificates 709 5 Academic Reports 676 6 Immunization Records 670 of Individuals The documents above contained the following types of personal data (the “Personal Data Sets”) at risk of unauthorised access in the Incident - Name, Address, NRIC number, Passp… | Financial Penalty | 1020 | { "sum": 10000, "max": 10000 } |
43 | bf4e6d72b19c9074ffec7a533da1119c04a79efb | A financial penalty of $14,000 was imposed on Nature Society (Singapore) for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its website database. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to comply with the PDPA. | [ "Protection", "Accountability", "Financial Penalty", "Others" ] |
14 Jan 2022 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---NSS---03122021.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Nature Society (Singapore) | https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-protection-and-accountability-obligations-by-nature-society | 2022-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7351 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Nature Society (Singapore) SUMMARY OF THE DECISION 1. On 6 November 2020, the Personal Data Protection Commission (the “Commission”) received information of an online article reporting about hacked databases being made available for downloads on several hacking forums and Telegram channels. In the article, Nature Society (Singapore) (the "Organisation") was named as one of the affected Organisations (the “Incident”). 2. The personal data of 5,131 members and non-members who had created membership and user accounts on the Organisation’s website were affected in the Incident. The datasets affected comprised of names, usernames, passwords (encrypted), email addresses, telephone numbers, types of membership, gender, mailing addresses, dates of births, occupation, company and nationality. 1 3. Following the Incident, the Organisation engaged two IT professionals to carry out an investigation and analysis of the Organisation's website. The investigation and analysis revealed vulnerabilities in the Organisation's website and suspicious SQL injection activities prior to the Incident. The possible attack vector was identified as a SQL injection attack which led to personal data on the Organisation's website database being accessed and exfiltrated by unknown parties. 4. The Organisation took the following remedial measures after the Incident: (a) Edited the website to stop all online membership sign-ups/renewals and logins to the website; (b) Removed all members' and users' data from the website database; (c) Backed up the website database and kept all personal data offline; (d) Change all login passwords; (e) Notified all affected individuals of the Incident via email; (f) Appointed a Data Protection Officer ("DPO") (g) Developed and implemented a personal data policy; and (d) Engaging vendors to develop a new website to improve security. 5. In… | Financial Penalty | 1020 | { "sum": 14000, "max": 14000 } |
44 | 1eb592a8a340702f6389b9b41adde21320962dd5 | A warning was issued to Belden Singapore for a breach of the PDPA in relation to the transfer of its Singapore-based employees’ personal data to its parent company in the United States. | [ "Transfer Limitation", "Warning", "Manufacturing" ] |
09 Dec 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Belden-Singapore-Private-Limited---12112021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Belden Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-transfer-limitation-obligation-by-belden-singapore | 2021-12-09 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 13 Case No. DP-2011-B7423, DP-2011-B7433 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Belden Singapore Private Limited (2) Grass Valley Singapore Pte Ltd … Organisations DECISION 1 Belden Singapore Private Limited & Anor [2021] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2011-B7423, DP-2011B7433 12 November 2021 Introduction 1. It is not unusual for a corporate group with a multi-national footprint to conduct cross-border transfers of personal data between its various entities. However, such arrangements also mean that data transferred from an organisation based in Singapore might risk exposure to data breach incidents in another jurisdiction. This is one such incident. 2. On 19 November 2020 and 20 November 2020, Belden Singapore Private Limited (“Belden Singapore”) and Grass Valley Singapore Pte Ltd (“GVSPL”) (collectively, the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) of a data breach incident whereby an unauthorised third party had gained access to business servers of the Belden Group, and managed to exfiltrate information, including personal data of the employees of the Organisations (“Incident”). 2 Facts of the Case 3. The Belden Group is a group of companies involved in the manufacturing of networking, connectivity and cable products. Its various subsidiaries and affiliated companies operate in the Americas, Europe, Middle East, Africa and the Asia Pacific region (the “Belden entities”). The overall parent entity, Belden Incorporated (“Belden Inc.”) is headquartered in St Louis, Missouri, United States. Belden Singapore is part of the Belden Group. 4. As the main Human Resources (“HR”) functions of Belden Singapore are conducted by Belden Inc., Belden Singapore transfers the personal data of its employees to Belden Inc., which are then stored in Belden Inc.’s servers. The terms on which the various Belden entities tran… | Warning | 1020 | { "sum": 0, "max": 0 } |
45 | a50361eef69a092d0a4126d531a06bdd55f6fc87 | Giordano was found not in breach of the PDPA in relation to an unauthorised network entry and ransomware infection that affected two of its systems storing personal data. | [ "Protection", "Not in Breach", "Wholesale and Retail Trade", "Ransomware", "Phishing" ] |
11 Nov 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Giordano-Originals-S-Pte-Ltd--151021.pdf | Protection | No Breach of the Protection Obligation by Giordano | https://www.pdpc.gov.sg/all-commissions-decisions/2021/11/no-breach-of-the-protection-obligation-by-giordano | 2021-11-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7387 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Giordano Originals (s) Pte Ltd SUMMARY OF THE DECISION 1. On 3 December 2020, the Personal Data Protection Commission (the “Commission”) was notified by Giordano Originals (S) Pte Ltd (the “Organisation”) of an unauthorized network entry and ransomware infection at the OS and server level that occurred on or about 12 July 2020 (the “Incident”). 2. As a result of the Incident, two of the Organisation’s systems, one which stores the personal data of its employees and second, the personal data of its members were affected. 3. The Organisation’s own and independent investigation conducted found no sign of suspicious activity in the Singapore network, and no impact beyond the Singapore network. The unauthorised entry had most likely occurred through the use of compromised credentials obtained through phishing. 4. Personal data of 790,000 members and 184 employees in encrypted form were affected. The personal data of members comprised names (20% of the members), contact number and partial date of birth (without birth year). The personal data of employees comprised name, NRIC, address, gender, age, contact number, email address, educational and salary information. 5. Investigations revealed that the Organisation had in place reasonable security measures that are consistent with the recommendations that the Personal Data Protection Commission had made in our recent Handbook on “How to Guard Against Common Types of Data Breaches” on how to prevent malware or phishing attacks. The Organisation had installed and deployed various endpoint security solutions, which was complemented with real-time system monitoring for any Internet traffic abnormalities. Even before the Incident, the Organisation also conducted regular periodic system maintenance, reviews and updates (such as vulnerability scanning and patching). 6. More importantly, the Organisation had also ensu… | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
46 | 99c426092b4199a1be72df7bdda2316c12a444f6 | A financial penalty of $74,000 was imposed on Commeasure for failing to put in place reasonable security arrangements to prevent the unauthorised access and exfiltration of customers’ personal data hosted in a cloud database. | [ "Protection", "Financial Penalty", "Accommodation and F&B" ] |
11 Nov 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Commeasure-Pte-Ltd---15092021.pdf | Protection | Breach of the Protection Obligation by Commeasure | https://www.pdpc.gov.sg/all-commissions-decisions/2021/11/breach-of-the-protection-obligation-by-commeasure | 2021-11-11 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 11 Case No. DP-2009-B7057 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 201 And Commeasure Pte Ltd … Organisation DECISION Commeasure Pte Ltd. [2021] SGPDPC 11 Lew Chuen Hong, Commissioner — Case No. DP-2009-B7057 15 September 2021 Introduction 1 On 25 September 2020, the Personal Data Protection Commission (“the Commission”) received a data breach notification from Commeasure Pte Ltd (“the Organisation”) that its database containing 5,892,843 customer records had been accessed and exfiltrated (“the Incident”). The Organisation first found out about the data breach on 19 September 2020 when a cybersecurity company based in Atlanta, United States of America, approached the Organisation with an offer to contain the breach and retrieve the data from the hackers. The Commission commenced investigations into the Incident thereafter. Facts of the Case Background 2 The Organisation was incorporated in Singapore in 2014, and operates a hotel booking platform www.reddoorz.com which serves customers in the Southeast Asian region, such as Indonesia, Singapore, Philippines, Vietnam and Thailand. The Singapore office is primarily engaged in sales, finance and administrative activities, while all IT functions (including the management of the affected application package in this case) were managed by the Organisation’s subsidiary company, Commeasure Solutions India Pvt Ltd (“CPL India”). Cause of the Incident 3 Investigations revealed that the unknown threat actor(s) had most likely gained access and exfiltrated the Organisation’s database of customer records hosted in an Amazon RDS cloud database, after they obtained an Amazon Web Services (“AWS”) access key. The AWS 2 access key was embedded within an Android application package (“the affected APK”) publicly available for download from the Google Play Store. 4 This affected APK was created sometime in 2015, when the Organisation was still a start-up, and was last… | Financial Penalty | 1020 | { "sum": 74000, "max": 74000 } |
47 | c1d77c572bf927e7f57cf9faf23c914633e6869e | A financial penalty of $10,000 was imposed on ChampionTutor for failing to put in place reasonable security arrangements to protect personal data in its possession. The incident resulted in the personal data being exposed. | [ "Protection", "Financial Penalty", "Education" ] |
14 Oct 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ChampionTutor-Inc-Private-Limited--10082021.pdf | Protection | Breach of the Protection Obligation by ChampionTutor | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-obligation-by-championtutor | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2103-B7984 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ChampionTutor Inc. (Private Limited) SUMMARY OF THE DECISION 1. On 24 February 2021, the Personal Data Protection Commission (the “Commission”) received information that ChampionTutor Inc. (Private Limited)’s (the “Organisation”) database, containing personal data of individuals, was being sold on dark web (the “Incident”). 2. The Organisation was not aware of the Incident until it was notified by the Commission. The cause of the Incident was suspected to be SQL injection of the Organisation’s website. The Organisation knew about this SQL injection vulnerability when it conducted a penetration test in December 2020. The Organisation had instructed its developer, based in India, to fix the vulnerability. However, the developer did not act on the request and this vulnerability was left unfixed until the Incident happened. 3. As a result, the personal data of 4,625 students were affected. The personal data included name, email address, contact number and address. 4. The Organisation took the following remedial measures after the Incident: a. Engaged a new team of developers to fix all the SQL injection vulnerabilities; b. Parameterised SQL statements by disallowing data-directed context changes to prevent SQL injection attacks from resurfacing; and c. Is in the process of revamping the entire website source codes to reduce possible vulnerabilities. 5. The Organisation admitted to having breached the Protection Obligation under section 24 of the Personal Data Protection Act (the “PDPA”), and requested for the matter to be dealt with in accordance with the Commission’s Expedited Decision Procedure. 6. The Organisation admitted it was aware of the SQL injection vulnerability in December 2020. Yet, the Organisation failed to take active steps to fix the vulnerability even when its developer was not responsive, purportedly due to the COVID-19 pandemic, a… | Financial Penalty | 1020 | { "sum": 10000, "max": 10000 } |
48 | cc15e7c5f988eab73f5190a48b9f4dab3d0f2b4d | A warning was issued to The National Kidney Foundation for failing to put in place reasonable security to protect the personal data in its possession. The incident resulted in personal data being downloaded. | [ "Protection", "Warning", "Healthcare", "Phishing", "Email" ] |
14 Oct 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---The-National-Kidney-Foundation---15092021.pdf | Protection | Breach of the Protection Obligation by The National Kidney Foundation | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-obligation-by-the-national-kidney-foundation | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 10 Case No DP-2005-B6353 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The National Kidney Foundation … Organisation DECISION The National Kidney Foundation [2021] SGPDPC 10 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2005-B6353 15 September 2021 Introduction 1 On 22 May 2020, the Personal Data Protection Commission (the “Commission”) received a data breach notification from the National Kidney Foundation (the “Organisation”). The Organisation had discovered that on 17 May 2020, a hacker had gained access to the work email account of one of its employees (“Employee A”) and had likely exfiltrated the personal data contained in the email account (the “Incident”). Background 2 The Organisation is a prominent non-profit health organisation in Singapore that provides health services, including subsidised kidney dialysis. Employee A is an executive in the Organisation’s Clinical Operations department. which deals with implementation of operations policies, budget planning and working with medical and nursing management team to uphold healthcare standards. The Incident 3 Investigations revealed that, on 14 May 2020, Employee A received a phishing email containing a hyperlink to a website with a further link to another website seeking his account credentials. The hacker is believed to have obtained Employee A’s account credentials in this way. Thereafter, the hacker accessed Employee A’s email account (the “Email Account”) and synchronised the mailbox on 17 May 2020. In doing so, the hacker is believed to have downloaded all the data stored in the Email Account in its entirety. The hacker also used Employee A’s email account to send phishing emails to 1,039 external business contacts of the Organisation, and 9 email accounts belonging to persons within the Organisation. Whilst these 1 phishing emails contained a link to a phishing webpage, they did not disclose any personal data collected from the E… | Warning | 1020 | { "sum": 0, "max": 0 } |
49 | ebd1814ecb9da020297ef11b6ad3b394b081f9a7 | Directions were issued to J & R Bossini Fashion for breaches of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to its parent company in Hong Kong and the protection of its employees’ personal data stored in its servers in Singapore. | [ "Protection", "Transfer Limitation", "Directions", "Wholesale and Retail Trade" ] |
14 Oct 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---J--R-Bossini-Fashion-Pte-Ltd---18082021.pdf | Protection, Transfer Limitation | Breach of the Protection and Transfer Limitation Obligations by J & R Bossini Fashion | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-and-transfer-limitation-obligations-by-j-r-bossini-fashion | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 9 Case No. DP-2006-B6440 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And J & R Bossini Fashion Pte Ltd … Organisation DECISION J & R Bossini Fashion Pte Ltd [2021] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6440 18 August 2021 Introduction 1 On 13 June 2020, J & R Bossini Fashion Pte Ltd (“the Organisation”) notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the IT systems of the Organisation’s group of companies on or around 27 May 2020 (“the Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a company incorporated in Singapore, and a subsidiary of Bossini International Holdings Limited, a company listed on the Stock Exchange of Hong Kong (“Bossini Holdings”). Bossini Holdings and its subsidiaries (“the Group”) are in the business of garment retail and brand franchising. 3 The Group’s IT systems and infrastructure across different regions (including Singapore) are centrally managed by Bossini Holdings from Hong Kong. While most of the Group’s production servers are located in Hong Kong, at the material time, the Organisation maintained two servers and various workstations for its staff in Singapore which were connected to the Group’s network in Hong Kong by way of a virtual private network (“VPN”). 2 Personal data collected by the Organisation 4 Sometime prior to 2017, the Organisation collected personal data from customers and prospective customers in Singapore for the purposes of administering a customer loyalty programme. The personal data collected comprised of each individual’s: (a) Name; (b) NRIC number, (c) Phone number, (d) Email address, (e) Residential address, (f) Date of birth; and (g) Gende… | Directions | 1020 | { "sum": 0, "max": 0 } |
50 | be11c5ff3c36e619d77e0eb760ca209d44cbadea | A financial penalty of $37,500 was imposed on Stylez for failing to put in place reasonable security arrangements to protect personal data of its customers and cease retaining data when the purpose of collection no longer exists. As a result, the personal data of its customers was publicly exposed. A direction was also issued to Stylez to develop and implement internal data protection policies and practices to comply with the PDPA. | [ "Protection", "Accountability", "Retention Limitation", "Financial Penalty", "Directions", "Accommodation and F&B", "Database" ] |
14 Oct 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Stylez-Pte-Ltd---04082021.pdf | Protection, Accountability, Retention Limitation | Breach of the Protection, Accountability and Retention Limitation Obligations by Stylez | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-accountability-and-retention-limitation-obligations-by-stylez | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 8 Case No. DP-2001-B5645 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Stylez Pte Ltd … Organisation DECISION Stylez Pte. Ltd. [2021] SGPDPC 8 Lew Chuen Hong, Commissioner — Case No. DP-2001-B5645 4 August 2021 Introduction 1 On 25 December 2019, a local newspaper reported that data from a quotation and service comparison portal, iCompare.sg (“the Portal”), had been uploaded onto the Dark Web (the “Incident”)1 . The Personal Data Protection Commission (“the Commission”) commenced investigations into the Incident thereafter. Facts of the Case 2 The Portal was created and operated by Stylez Pte Ltd (“Organisation”) at the material time. In July 2016, the Organisation created a new database containing data from the Portal for the purposes of testing a new function for the Portal in a separate test environment (the “Testing Database”). The Testing Database was a text file comprising records of the Portal’s renovation and interior design clients from 2009 to 2016 and was hosted on a cloud server leased from a cloud storage service provider (“the Server”). 3 Investigations revealed that the data exposed in the Incident was accessed and exfiltrated from the Testing Database some time before December 2019. A total of 9,983 individuals’ personal data, comprising their name, email address, and phone number were exposed in the Incident. 4 The Portal’s production and backup databases were hosted on servers leased from a different cloud service provider and were unaffected in the Incident. 1 https://www.straitstimes.com/singapore/local-renovation-database-exposed-on-dark-web 2 Remedial actions 5 Following the Incident, the Organisation took the following remedial actions: a. The Testing Database and the account from which it was hosted were deleted; b. A malware scan was run on the Server, and all unnecessary files were removed; c. The operating system of the Server was updated and the root passwor… | Financial Penalty, Directions | 1020 | { "sum": 37500, "max": 37500 } |
51 | efaab7f81309197eda33e2e452a7db06339dee0a | Carousell was found not in breach of the PDPA in relation to incidents where threat actor accessed Carousell users' accounts due to credential stuffing. | [ "Not in Breach", "Others", "Password" ] |
21 Sep 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Carousell-Pte-Ltd---030821.pdf | No Breach of the Protection Obligation by Carousell | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/no-breach-of-the-protection-obligation-by-carousell | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2105-B8350 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Carousell Pte. Ltd. SUMMARY OF THE DECISION 1. On 14 May 2021, Carousell Pte. Ltd. (the “Organisation”) informed the Personal Data Protection Commission of an unauthorized access to their users’ accounts due to credential stuffing. 2. The Organisation was first alerted on 26 April 2021 when a user reported to the Organisation that his account had been hijacked and there were attempts to make unauthorised purchases. On 1 June 2021, the Organisation was alerted to another incident involving the same modus operandi where legitimate credentials were used to log in to users’ accounts and unauthorised purchases were made (collectively, the “Incident”). 3. The Organisation’s investigations indicated that the Incident was due to the threat actor(s) obtaining the login details and passwords of some of their users due to an exposure of the account details on another service provider’s platform. The threat actor(s) succeeded in certain cases where the user used the same login and password for their account with the Organisation and their compromised accounts with other provider’s platforms. After successfully logging into the account, the threat actor(s) was able to perform actions as an authorised user. The threat actor(s) would also have access to the data in an individual’s account and modify the account settings. 4. The Organisation’s investigations found that there was no known compromise or unauthorised access of information in other accounts that were stored in the same database. At the time of the Incident, the Organisation had in place security arrangements including, but not limited to, the following: a. Users are informed when there is a change to the password, email or phone number linked to their account, or when a new device is used to log in; b. Training of account takeover model to identify and investigate likely account takeovers; c. Card tr… | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
|
52 | 7a8c834ad08266980eab82da552b2caf624d2c3f | A financial penalty of $9,000 was imposed on Sendtech for failing to put in place reasonable security arrangements to protect personal data. This resulted in an unauthorised access of the personal data stored in their Amazon Web Services account. | [ "Protection", "Financial Penalty", "Admin and Support Services", "Password" ] |
21 Sep 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.pdf | Protection | Breach of the Protection Obligation by Sendtech | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-protection-obligation-by-sendtech | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884 In the matter of an investigation under Section 50(1) of the Personal Data Protection Act 2012 And Sendtech Pte. Ltd. … Organisation SUMMARY OF THE DECISION 1. On 13 February 2021, Sendtech Pte. Ltd. (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) of a data breach incident. There was an unauthorized access to the Organisation’s Amazon Web Services (“AWS”) account via an access key (the “Incident”). 2. The Organisation became aware of the Incident on 10 February 2021 when its AWS account was shut down due to unusual account activity. The cause of Incident was a compromised AWS access key. This access key was created in 2015 when the Organisation was developing the backend of its server in its incipient stages. This AWS access key had not been rotated or changed since 2015. The Organisation suspected that the AWS could have been compromised through its former or current employees. First, all former developers had access to this key and some could still have the source code on their computers. Second, as most of the employees are working from home, it is possible that the AWS access key was compromised if the employees had accessed internet through a public WiFi connection. 3. With this compromised AWS access key, the attacker gained admin privileges, created another admin account and queried the buckets storing personal data. As a result, the personal data of 64,196 customers and 3,401 contractors and the contractors’ employees were accessed. There was no evidence of data exfiltration. For the customers, the personal data included the email address, contact number, home address and last four digits of the debit or credit card. For the contractors and their employees, the personal data included profile photo and copies of the NRIC or work permit (front and back). 4. The Organisation took the following remedial measures after the Incident: a. Rotated all access keys; b. Changed passwords for all servers;… | Financial Penalty | 1020 | { "sum": 19000, "max": 10000 } |
53 | 2066d84ba2bb6f83fa4199710f0ebf3becdbfc9b | A financial penalty of $13,500 was imposed on SAP Asia for failing to put in place reasonable security arrangements to protect personal data of its former employees. This resulted in an unauthorised disclosure of the personal data to unintended recipients. | [ "Protection", "Financial Penalty", "Admin and Support Services", "Vendor" ] |
21 Sep 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SAP-Asia-Pte-Ltd---310721.pdf | Protection | Breach of the Protection Obligation by SAP Asia | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-protection-obligation-by-sap-asia | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 6 Case No. DP-2004-B6180 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SAP Asia Pte. Ltd. … Organisation DECISION SAP Asia Pte. Ltd. [2021] SGPDPC 6 Lew Chuen Hong, Commissioner — Case No. DP-2004-B6180 30 July 2021 Introduction 1 On 1 April 2020, the Personal Data Protection Commission (“the Commission”) received a complaint that SAP Asia Pte. Ltd. (“the Organisation”) had disclosed the payroll information of some of its former employees to the wrong email recipients (“the Incident”). The Commission commenced investigations into the Incident thereafter. Facts of the Case 2 At the material time prior to the Incident, the Organisation had engaged an external vendor (“the Vendor”) to provide IT solutions for its human resources and payroll system (“the HR System”). The Organisation’s process of issuing payslips to its employees had been automated as part of the HR System. However, when payslips needed to be issued to individuals who had already left the employment of the Organisation (e.g. final payslips, reimbursements of expenses etc), this could not be done via the HR System. Such payslips needed to be separately generated by the Organisation’s human resources department and emailed to the former employees at their personal email addresses. The Organisation was keen to automate the process of issuing payslips to former employees as part of the HR System, and sometime around April 2019, requested the Vendor to develop a new programme within the HR System for this purpose (“the Programme”). 3 The Organisation had intended to use the Programme to generate and email multiple payslips to multiple former employees simultaneously in one execution of the Programme SAP Asia Pte. Ltd. [2021] SGPDPC 6 (“Multiple Payslip Issuance”). However, as will be discussed below, this intention was not properly communicated to the Vendor, and the Programme was designed on the incorrect understanding that only a sing… | Financial Penalty | 1020 | { "sum": 13500, "max": 13500 } |
54 | 78c2297627c45a33b042a529face01c990b99eb8 | A financial penalty of $8,000 was imposed on Seriously Keto for failing to put in place reasonable security arrangements to protect the personal data stored in its server. This resulted in the data being subjected to a ransomware attack. | [ "Protection", "Financial Penalty", "Accommodation and F&B", "Ransomware", "Vendor" ] |
21 Sep 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Seriously-Keto-Pte-Ltd---14072021.pdf | Protection | Breach of the Protection Obligation by Seriously Keto | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-protection-obligation-by-seriously-keto | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2006-B6449 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Seriously Keto Pte. Ltd. SUMMARY OF THE DECISION 1. On 16 June 2020, Seriously Keto Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware infection that occurred on or about 15 June 2020 (the “Incident”). The affected personal data comprised approximately 3,073 individuals’ names, addresses, email addresses and telephone numbers (“the Affected Personal Data”). 2. The Organisation requested that the Commission investigate the Incident under its Expedited Decision Procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act (the “PDPA”). 3. Investigations revealed the presence of an unprotected file in the Organisation’s network infrastructure which contained unencrypted login credentials to access the server containing the Affected Personal Data. The unprotected file could be located by infrastructure scanning, and this provided a channel for unauthorised access to the server. Server logs retrieved by the Organisation after the Incident indicated that there had been unauthorised access to the file. 4. The Organisation admitted that it had failed to conduct any periodic security reviews prior to the Incident which could have revealed the existence of the unprotected file within its network infrastructure. 5. The Organisation had engaged a vendor to develop its e-commerce and membership website and claimed to have relied on the vendor to make the necessary security arrangements to protect the Affected Personal Data. However, in this case, there were no clear business requirements (e.g. contractual stipulations) specifying that the Organisation was relying on the vendor to recommend and/or implement security arr… | Financial Penalty | 1020 | { "sum": 8000, "max": 8000 } |
55 | d90163ad4f61e9c79b73c30b9339728ff1a7e722 | A warning was issued to Specialized Asia Pacific for failing to put in place reasonable security arrangements to protect the personal data of 2,445 application users. | [ "Protection", "Warning", "Others", "Mobile application" ] |
21 Sep 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Specialized-Asia-Pacific-Pte-Ltd---300721.pdf | Protection | Breach of the Protection Obligation by Specialized Asia Pacific | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-protection-obligation-by-specialized-asia-pacific | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2101-B7826 In the matter of an investigation under Section 50(1) of the Personal Data Protection Act 2012 And Specialized Asia Pacific Pte Ltd … Organisation SUMMARY OF THE DECISION 1. On 29 January 2021, Specialized Asia Pacific Pte Ltd. (the “Organisation”) informed the Personal Data Protection Commission of a data security incident involving the Specialized Cadence application (the “Application”) that it developed, operated and maintained. 2. The Organisation’s developing staff did not realize that the online development tool, which was used to develop the Application, had a default privacy setting that made all data created by users or developers “visible”, even though this had been stated in the tool’s privacy rules. This default setting allowed the Application’s network traffic to be intercepted and accessed using third-party security testing software that can be acquired online. A member of the public had therefore been able to intercept and access the personal data of the Application’s users by using a free version of such software (the “Incident”). However, the risk of unauthorised access had been limited to parties who knew how to use such security testing software to obtain access. This factored in the enforcement outcome below (see paragraph 6 below). 3. The undetected default privacy setting of “visible” put the personal data of 2,445 individuals at risk of unauthorised access. The data affected included names, addresses, dates of birth, telephone numbers, email addresses and gender. 4. Remediation by the Organisation encompassed turning off all access and use of the Application by all external parties, including users, and changing the privacy setting from “visible” to “hidden”. The Organisation also engaged a third-party IT security firm to test and address any security and privacy issues relating to the Application, commenced discussions with its IT application designers and employees involved to adopt ‘privacyby-design’ in future appl… | Warning | 1020 | { "sum": 0, "max": 0 } |
56 | 3256f6944ba40d3a8d90aba14c5975cf6a00525c | Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia. | [ "Transfer Limitation", "Directions", "Education", "Ransomware", "Consent" ] |
21 Sep 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection un… | Directions | 1020 | { "sum": 0, "max": 0 } |
57 | 0e2066bb386a6ebc1a83a8bc70a7364aef734bf5 | Singapore Telecommunications Limited was found not in breach of the PDPA in relation to an incident which occurred on or about 13 July 2020 where a threat actor accessed the accounts belonging to 17 subscribers. | [ "Not in Breach", "Information and Communications", "Phishing" ] |
12 Aug 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunications-Limited---21062021.pdf | No Breach of the Protection Obligation by Singapore Telecommunications Limited | https://www.pdpc.gov.sg/all-commissions-decisions/2021/08/no-breach-of-the-protection-obligation-by-singapore-telecommunications-limited | 2021-08-12 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6607 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited SUMMARY OF THE DECISION 1. On 15 July 2020, Singapore Telecommunications Limited (the “Organisation”) informed the Personal Data Protection Commission of an incident which had occurred on or about 13 July 2020 (the “Incident”). In the Incident, a threat actor accessed the accounts of 17 of the Organisation’s telecommunications service subscribers to request for issuance of new SIM cards, forwarding of voice calls and/or cessation of mobile services 1 . Once these were issued, the affected subscribers were unable to access to their own accounts. 2. The Organisation investigations indicated that the Incident was due to threat actor(s) who gained access to its IT systems through coordinated social engineering tactics targeted at staff. The threat actor(s)’ aim was to use compromised staff accounts to gain control of subscriber accounts of the affected individuals to perform unauthorised activities. 3. The Organisation also made reports to IMDA under the Telecoms Act and the Singapore Police Force (“SPF”). 4. The Organisation’s investigations found no evidence that the integrity of its affected IT systems had been compromised or that any data had been exfiltrated from the systems at the time of the Incident, the Organisation had in place reasonable security arrangements that included the following: a. Password requirements in security policies, standards and guidelines were aligned to industry best practices; 1 Singtel stated that the threat actor could have also accessed the records of an additional 15 subscribers. b. Systems and network enhancements were continually implemented to improve the security of applications and IT infrastructure; c. Comprehensive and annual mandatory training was conducted for all staff in relation to the requirements under the PDPA; and d. Reasonable security measures were in place … | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
|
58 | 6cfc0ce876c844201d91b78186f93c4a7afecdd3 | A financial penalty of $7,000 was imposed on Larsen & Toubro Infotech for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of job applicants, and for disclosing the personal data of job applicants without their consent. | [ "Protection", "Consent", "Financial Penalty", "Information and Communications", "Protection", "Consent", "Sample forms", "Email", "Recruitment" ] |
10 Jun 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Larsen--Toubro-Infotech-Limited-Singapore-Branch-06052021.pdf | Protection, Consent | Breach of the Protection and Consent Obligation by Larsen & Toubro Infotech | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-consent-obligation-by-larsen-toubro-infotech | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7464 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Larsen & Toubro Infotech Limited, Singapore Branch SUMMARY OF THE DECISION 1. On 29 November 2020, the Personal Data Protection Commission (the “Commission”) received a complaint against Larsen & Toubro Infotech Limited, Singapore Branch (“LTI”) from an LTI job applicant. 2. On 25 November 2020, an LTI employee had emailed the complainant a set of sample forms which contained the personal data of a past job applicant. The LTI employee had sent the complainant those sample forms to assist him in filling up his own forms correctly. 3. Subsequently, on 3 December 2020, another LTI employee sent an email reminder to the complainant and 53 other job applicants to complete their application process. The email contained all of the job applicants’ respective names, with their email addresses placed in the “To” field and thus visible to all recipients. 4. Once notified of the complaint by the Commission, LTI undertook a review of its employees’ emails for the period from 2016 to 2020, and uncovered 73 other instances where past job applicants’ personal data had been disclosed to other job applicants. 5. In total, 13 past job applicants’ forms were disclosed by 10 of LTI’s employees to 74 other job applicants. The personal data disclosed in the forms comprised: a. Name; b. Signature; c. Email address; d. National Identification/ passport numbers; e. Date of Birth; f. Address; g. Contact number; h. Medical health status; i. Employment history; j. Salary information; and k. Criminal records disclosure. 6. The Deputy Commissioner for Personal Data Protection finds that LTI negligently contravened the Protection Obligation under section 24 of the Personal Data Protection Act 2012 by failing to provide adequate instructions to its employees dealing with recruitment matters on how to handle personal data. LTI also negligently contravened the Consent Obligation und… | Financial Penalty | 1020 | { "sum": 7000, "max": 7000 } |
59 | 3d89e03d0c5dc37d49f963c1bab29c4188c6cdb0 | A financial penalty of $25,000 was imposed on Webcada for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [ "Protection", "Accountability", "Financial Penalty", "Information and Communications", "Ransomware", "IPMI", "Database servers", "No Written Policy" ] |
10 Jun 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Webcada-Pte-Ltd-06052021.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligation by Webcada | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-accountability-obligation-by-webcada | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B6931 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Webcada Pte Ltd SUMMARY OF THE DECISION 1. On 4 September 2020, Webcada Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that three of its database servers had been subjected to a ransomware attack on 29 August 2020 (the “Incident”). 2. The personal data of 522,722 individuals were affected in the Incident. The datasets affected comprised of the individuals’ names, phone numbers, dates of birth, addresses and order histories. 3. Following the Incident, the Organisation engaged an independent third-party consultant to investigate, review and assist in the implementation of additional data protection measures. 4. Investigations revealed that the ransomware had been uploaded onto the affected servers via the Intelligent Platform Management Interface ("IPMI"). The IPMI is a set of computer interface specifications used for remote monitoring and management of servers. There was no evidence of data exfiltration, and all affected data was restored from available back-ups. 5. The Organisation took the following remedial measures after the Incident: (a) IPMI was permanently disabled for all servers; (b) The public IP address of all servers was removed and all remote management access to the servers was configured to allow only trusted IP addresses; (c) End-point protection software with threat hunting capabilities was installed on all servers and computers within the Organisation; and (d) A written data protection policy was developed and implemented to comply with the provisions of the Personal Data Protection Act 2012 (the "PDPA"). 6. In its representations to the PDPC, the Organisation admitted to having breached the Accountability Obligation under section 12 and the Protection Obligation under section 24 of the PDPA, and requested for the matter to be dealt with in accordance with the PDPC’s Expedited Decisi… | Financial Penalty | 1020 | { "sum": 25000, "max": 25000 } |
60 | bf113cfedd7993a2971058cfa7fd05922347b993 | A financial penalty of $35,000 was imposed on HMI Institute for failing to put in place reasonable security arrangements to protect personal data stored in its server. This resulted in the data being subjected to a ransomware attack. | [ "Protection", "Financial Penalty", "Education", "Ransomware", "Third Party Vendor", "Scope of Duties", "Open RDP Port", "Remote Desktop Protocol" ] |
10 Jun 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HMI-Institute-of-Health-Sciences---20052021.pdf | Protection | Breach of the Protection Obligation by HMI Institute of Health Sciences | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-hmi-institute-of-health-sciences | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 4 Cases No DP-1912-B5434 / DP-1912-B5564 / DP-1912-B5558 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And HMI Institute of Health Sciences Pte. Ltd. … Organisation DECISION HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4 Lew Chuen Hong, Commissioner — Cases No. DP-1912-B5434 / DP-1912-B5564 / DP-1912-B5558 20 May 2021 Introduction 1 On 4 December 2019, a file server (the “Server”) belonging to HMI Institute of Health Sciences Pte. Ltd. (the “Organisation”) was affected by a ransomware attack. The ransomware encrypted and denied access to various files on the Server, including files containing personal data of the Organisation’s staff and trainees (the “Incident”). 2 On 7 December 2019, the Organisation informed the Personal Data Protection Commission (“Commission”) of the Incident. The Commission subsequently received two separate complaints about the Incident. Background 3 The Organisation is a dedicated private provider of healthcare training to individuals (“Participants”) in Singapore. In the course of carrying out its business activities, the Organisation collects personal data from, among others, (i) its employees, including temporary and contract staff such as associate trainers, (“Employees”) for the purposes of managing or terminating such employment relationships, and (ii) the Participants, for the purposes of registration and the administration of their enrolment in the Organisation’s training courses. 4 The Server affected by ransomware was set up in 2014 and was located in Singapore. It was owned by the Organisation but maintained by the Organisation’s appointed IT solution service provider (the “Vendor”). The Server stored personal data in Microsoft Word or Excel files, most but not all of which were password-protected. 5 The Server was protected by a firewall that blocked all connections to the Server, except for those through port 3389, a standard port which was used for… | Financial Penalty | 1020 | { "sum": 35000, "max": 35000 } |
61 | f57865a310f2804aa000c2fac58b59bea3e8c822 | A financial penalty of $8,000 was imposed on ST Logistics for failing to put in place reasonable security arrangements to prevent the unauthorised access of 2,400 MINDEF and SAF personnel's personal data. | [ "Protection", "Financial Penalty", "Transport and Storage", "Phishing", "Malware" ] |
10 Jun 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---ST-Logistics-Pte-Ltd---26102020.pdf | Protection | Breach of the Protection Obligation by ST Logistics | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-st-logistics | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 19 Case Nos. DP-1912-B5514 and DP-1912-B5559 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ST Logistics Pte Ltd … Organisation DECISION ST Logistics Pte Ltd [2020] SGPDPC 19 Lew Chuen Hong, Commissioner — Case Nos. DP-1912-B5514 and DP1912-B5559 26 October 2020 Introduction 1 Phishing attacks are increasingly prevalent and are one of the top cybersecurity threats faced by organisations1. In its latest report, the Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore last year, almost triple the number of cases in 20182. This case is yet another example of an organisation falling victim to phishing. 2 On 16 December 2019, ST Logistics Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the Organisation had detected an Emoted malware (“Emotet”) in their network which had infected 6 of its users’ laptops (including 4 laptops containing personal data), potentially affecting up to 4,000 individuals in the Ministry of 1 Phishing is a method employed by cyber criminals, often disguising themselves as legitimate individuals or reputable organisations, to fraudulently obtain personal data and other sensitive or confidential information. Once cyber criminals obtain an individual’s personal data, they may gain access to the individual’s online accounts and may impersonate the individual to scam persons known to the individual. See Cyber Security Agency of Singapore, Cyber Tip – Spot Signs of Phishing (25 February 2020) https://www.csa.gov.sg/gosafeonline/go-safe-forme/homeinternetusers/spot-signs-of-phishing. 2 See “Phishing attacks last year tripled from 2018”, The Straits Times, 27 June 2020. ST Logistics Pte Ltd [2020] SGPDPC 19 Defence (“MINDEF”) and Singapore Armed Forces (“SAF”) (the “Incident”). Subsequently, on 23 December 2019, the Commission received a complaint from an individual affected by the Incident. Facts of the … | Financial Penalty | 1020 | { "sum": 8000, "max": 8000 } |
62 | ad8214e170df0e128b0b9cfd598c856c48b2ce2e | A warning was issued to Greatearth Corporation for failing to obtain consent to disclose personal data of 8 crane operators on the external façade of a construction site. | [ "Consent", "Warning", "Construction", "Consent", "Ban list", "Acting in Course of Employment" ] |
12 May 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Progressive-Builders-and-Greatearth-Corporation---16042021-(002).pdf | Consent | Breach of the Consent Obligation by Greatearth Corporation, No Breach of the PDPA by Progressive Builders | https://www.pdpc.gov.sg/all-commissions-decisions/2021/05/breach-of-the-consent-obligation-by-greatearth-corporation | 2021-05-12 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 2 Case No. DP-1907-B4305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Progressive Builders Private Limited (2) Greatearth Corporation Pte. Ltd. … Organisation DECISION 1 (1) Progressive Builders Private Limited; (2) Greatearth Corporation Pte. Ltd. [2021] SGPDPC 2 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1907-B4305 16 April 2021 Introduction 1 This case involves a series of incidents that led to the unauthorised collection, use, and disclosure of the personal data of 8 individuals (the “Complainants”) by Greatearth Corporation Pte. Ltd. (“GCPL”). On 19 and 20 July 2019, the Personal Data Protection Commission (the “Commission”) received complaints from each of the Complainants alleging that their personal data had been disclosed by Progressive Builders Private Limited (“PBPL”) without their consent (the “Complaints”). The Commission commenced an investigation into the Complaints. Facts of the Case 2 The Complainants are tower crane operators engaged by Craneworks Pte Ltd (“the Subcontractor”) to operate tower cranes for the Subcontractor’s clients, including PBPL. PBPL is the main contractor for a housing project in Geylang (the “Geylang Project”) and is in charge of the Geylang Project worksite (the “Geylang Worksite”). PBPL had collected the Complainants’ personal data (including their full name, NRIC, contact number and photograph) when they were appointed as tower crane operators for the Geylang Project. The collection of their personal data was for the purposes of managing the Complainants’ roles as tower crane operators. The Subcontractor is a sub-contractor of PBPL for the Geylang Project. It supplies licensed crane operators to PBPL for the operation of tower cranes. 3 GCPL is also a company that is in the construction business. It is the main contractor for a housing project in Clementi (the “Clementi Project”) and is in charge of the Clementi 2 Project worksite (“Clemen… | Warning | 1020 | { "sum": 0, "max": 0 } |
63 | 975ebb9a0e1c4c7f6c032bf0fe778f00c5d46a33 | A review application under section 28 (now known as section 48H(1)(a)) of the PDPA was conducted following a failed request by an individual to obtain his full unredacted internal evaluation report prepared by HSBC Bank (Singapore) Limited for the purpose of evaluating his credit card application. | [ "Finance and Insurance", "Access and Correction", "Evaluation", "Opinion Data" ] |
12 May 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--HSBC-Bank-Singapore-Limited--10032021.pdf | Outcome of a Review Application Involving an Individual and HSBC Bank | https://www.pdpc.gov.sg/all-commissions-decisions/2021/05/outcome-of-a-review-application-involving-an-individual-and-hsbc-bank | 2021-05-12 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 3 Case No. DP-1810-B2892R In the matter of a review under section 48H(1)(a) of the Personal Data Protection Act 2012 and of the Personal Data Protection (Enforcement) Regulations 2021 Between [Redacted] … Applicant And HSBC Bank (Singapore) Limited … Respondent DECISION HSBC Bank (Singapore) Limited Yeong Zee Kin, Deputy Commissioner — Case No. DP-1810-B2892R 10 March 2021 Background 1 The Respondent, HSBC Bank (Singapore) Limited (“HSBC”), is a full-service bank in Singapore. HSBC’s personal banking offerings include credit card facilities to individuals, offered subject to a process of application and approval by the bank. Sometime in 2018, the Applicant applied to HSBC for a credit card, but was unsuccessful. Dissatisfied, he requested HSBC to provide him with a copy of the bank’s internal evaluation report prepared for the purpose of evaluating his credit card application (“the Report”). 2 In response to the Applicant’s request, HSBC furnished a copy of the Report but with some fields redacted (“the Redacted Data”). HSBC’s position was that they were not obliged to disclose the Redacted Data to the Applicant, as the Redacted Data constituted opinion data kept solely for an evaluative purpose, an exception to the Access Obligation under paragraph 1(a) of the Fifth Schedule (“the Evaluative Purpose Exception”). 3 The Applicant maintained that he was entitled to the full unredacted Report, and approached the Personal Data Protection Commission (the “Commission”) for assistance. The Commission attempted to facilitate an amicable resolution between the parties. When attempts to facilitate an amicable resolution were unsuccessful, the Commission informed the Applicant of his option to make a review application under the then section 28 of the PDPA (now, section 48H(1)(a) of the PDPA) (“the Review Application”). 4 The Applicant elected to take this option on 18 March 2020. As HSBC’s position on the Review Application was extensively set out in its pr… | 1020 | { "sum": 0, "max": 0 } |
||
64 | d6982844d4ff30b7cfe7dc299c0f7ecde531463f | A warning was issued to Flying Cape, a data intermediary, for failing to put in place reasonable security arrangements to protect the personal data of 191 users of a website. Flying Cape was managing the website on behalf of its client. | [ "Protection", "Warning", "Information and Communications", "Ransomware", "Data Intermediary", "Online Storage Bucket" ] |
15 Apr 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Flying-Cape-Pte-Ltd---17032021.pdf | Protection | Breach of the Protection Obligation by Flying Cape | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-flying-cape | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7385 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Flying Cape Pte Ltd (2) ACCA Singapore Pte Ltd SUMMARY OF THE DECISION 1. Sometime between 25 September 2020 to 5 October 2020, the personal data of 191 users (the “Affected Individuals”) of www.accapdhub.com (the “Website”) was exfiltrated by an unauthorised party (the “Incident”).The exfiltrated personal data comprised of the names, email addresses and contact numbers of the Affected Individuals (“the Exfiltrated Data”). 2. The Website was owned by ACCA Singapore Pte Ltd (“ACCA”), but hosted, managed, and operated by Flying Cape Pte Ltd (“FCPL”) as ACCA’s data intermediary. FCPL notified the Personal Data Protection Commission (the “Commission”) of the Incident on 12 November 2020, after having received a ransom demand in respect of the Exfiltrated Data. 3. Sometime in early September 2020, as part of its management of the Website, FCPL extracted the personal data of the Affected Individuals from the database of the Website into an excel file. An FCPL employee who was assigned to work with the excel file failed to protect the file with a password or encrypt it as required by FCPL’s IT policy. Moreover, the employee incorrectly stored the excel file in a publicly accessible online storage bucket, as opposed to the correct, secured storage bucket. These lapses were believed to have led to the Incident. 4. Pursuant to section 53(1) of the PDPA, FCPL is liable for acts done by employees. The question therefore becomes whether FCPL had taken reasonable steps to prevent or detect mistakes such as the one made by the employee. The investigations did not surface any arrangements to supervise or verify its employees’ compliance with its internal policies or detect non-compliance. The Deputy Commissioner for Personal Data Protection therefore found that FCPL had breached the Protection Obligation under section 24 of the Personal Data Protection Act 20… | Warning | 1020 | { "sum": 0, "max": 0 } |
65 | 38ad31c658822fced0ba1341bb2a1c5de92c8e27 | A warning was issued to St. Joseph's Institution International for failing to put in place reasonable security arrangements to protect the personal data in its possession. The incident resulted in the personal data being at risk of unauthorised access. | [ "Protection", "Warning", "Education", "Google Chrome Extension", "Virus" ] |
15 Apr 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--St-Josephs-Institution-International-Ltd--12032021.pdf | Protection | Breach of the Protection Obligation by St. Joseph's Institution International | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-st-josephs-institution-international | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7196 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And St. Joseph’s Institution International Ltd. SUMMARY OF THE DECISION 1. On 16 October 2020, St Joseph’s Institution International Ltd. (the “Organisation”) informed the Personal Data Protection Commission that a file listing the personal data of 3155 parents and students (“the File”) was found on a website called VirusTotal (the “Incident”). 2. The Incident occurred on or around 13 October 2020 when a staff of the Organisation downloaded and deployed a Google Chrome browser extension developed by VirusTotal for additional security scanning. Unknown to the staff, apart from security scanning, the extension also forwarded scanned samples to premium members of VirusTotal (the “3rd Parties”) for security analysis and research. This use of samples was made known in VirusTotal’s privacy policy covering the use of the extension. 3. As a result of the Incident, the personal data of 3155 individuals including both parents and students were put at risk of unauthorised access. The personal data affected included the names of parents and students, parents’ email addresses, students’ date of birth, students’ classes, students’ year and grades. 4. Users of the VirusTotal Chrome extension would have to agree to VirusTotal’s Privacy Policy, which provides that once files are uploaded to the VirusTotal website for scanning, copies of these files will be kept by VirusTotal and shared with their subscribers for research purposes. The risk of such file sharing and in turn disclosure of personal data to 3rd Parties ought to have been known to the said staff of the Organisation, but was overlooked due to oversight. Such oversight could have been prevented if the Organisation had sufficiently robust processes for assessing such risks prior to deploying downloaded software, including Chrome Extensions. However, the Organisation lacked such processes. 5. Nevertheless, the Organisa… | Warning | 1020 | { "sum": 0, "max": 0 } |
66 | d11043d190d2422e2fe68b7e1d0684a5eb562633 | Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA. | [ "Accountability", "Protection", "Directions", "Others", "No Policy", "Access control", "Indexing" ] |
15 Apr 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7132 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chapel of Christ the Redeemer SUMMARY OF THE DECISION 1. On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) that a file (the “File”) containing personal data of 815 members’ name, NRIC, address, date of birth, marital status, email address, mobile and residential phone number was inadvertently disclosed online. 2. Investigations revealed that a staff had accidentally uploaded the File (which was supposed to be an internal document) onto the sub-directory on 24 November 2019. The Organisation only discovered the matter on 8 September 2020 when a member of the Organisation performed a Google search of another member’s name and found a Google search result of the File. 3. The Organisation admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. As a result, the File was indexed by search engines and showed up in online search results. The Organisation also admitted that at the time of the incident, the Organisation had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for the uploading of files on the Organisation’s website. 4. Fortuitously, it appeared that the access to the File was minimal – based on Google Analytics Report, save for the Organisation’s member who discovered the File on the internet on 8 September 2020, there was only one other access to the File on 9 December 2019, and the access only lasted for approximately 1 minute. 5. Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly check of all files uploaded onto the websi… | Directions | 1020 | { "sum": 0, "max": 0 } |
67 | b646fd3d700dda60ce9f5c4dd262f5ec9f28d133 | A financial penalty of $29,000 was imposed on Tripartite Alliance for failing to put in place reasonable security arrangements to prevent the unauthorised access of approximately 20,000 individuals’ and companies’ data stored in its customer relationship system database. | [ "Protection", "Financial Penalty", "Social Service", "Ransomware", "Scope of Duties", "Third Party Vendor" ] |
15 Apr 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tripartite-Alliance-Limited---16032021.pdf | Protection | Breach of the Protection Obligation by Tripartite Alliance | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-tripartite-alliance | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2003-B6000 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tripartite Alliance Limited SUMMARY OF THE DECISION 1. On 3 March 2020, Tripartite Alliance Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a server hosting its customer relationship management (“CRM”) system was infected with ransomware on or around 17 February 2020. 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). The Incident 3. The Organisation is in the business of promoting fair and progressive employment practices, as well as providing mediation and advice in employment–related disputes. 1 4. The CRM system is a Software-as-a-Service (“SaaS”) solution provided by a software service provider engaged by the Organisation (the “Vendor”). The Organisation uses the CRM system to handle employment-related enquiries, feedback and complaints. 5. At the time of the incident, the CRM system contained approximately 12,000 individuals’ and 8,000 companies’ data (including information of the companies’ representatives). The types of data affected for each individual varied, but may include an individual’s name, identification number, contact number, email address, age, race, marital status, salary and compensation amount (if applicable). 6. On 17 February 2020, the CRM system was unavailable to users. The Vendor managed to restore the CRM system from a back-up copy within the next three hours. 7. Upon investigations, the Organisation determined that the CRM system suffered a ransomware attack. In particular, security logs obtained from the Vendor showed that hacking attempts were made on the data… | Financial Penalty | 1020 | { "sum": 29000, "max": 29000 } |
68 | 9cf2caa739eee79c8674f3b7c17659dee2263702 | Jigyasa was found in breach of the PDPA. First, Jigyasa failed to put in place reasonable measures to protect employee assessment reports on its website. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. An application for reconsideration was filed against the decision in Re Jigyasa [2020] SGPDPC 9. Upon review and careful consideration of the application, directions in the decision were varied in the Reconsideration Decision and a financial penalty of $30,000 was imposed on Jigyasa. | [ "Accountability", "Protection", "Financial Penalty", "Professional", "Scientific and Technical", "No Policy", "No DPO", "Public access", "No pre-launch testing" ] |
11 Mar 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Jigyasa---30032020.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Jigyasa | https://www.pdpc.gov.sg/all-commissions-decisions/2021/03/breach-of-the-protection-and-accountability-obligations-by-jigyasa | 2021-03-11 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 9 Case No DP-1707-B0922 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Jigyasa (UEN: 52948595L) … Organisation DECISION 1 Jigyasa [2020] SGPDPC 9 Tan Kiat How, Commissioner — Case No DP-1707-B0922 30 March 2020 Introduction 1 This case concerns the unauthorised disclosure of employee assessment reports, such as 360 Feedback Reports and evaluation reports (collectively, the “Reports”), on the website (“Website”) of Jigyasa (the “Organisation”), a human resource and management consultancy business. Material Facts 2 The Organisation is a business operated by a sole proprietor with one part-time employee. The Reports were generated based on survey results collected by the Organisation via its web application (the “Web Application”) and stored in a folder on the server which hosted the Web Application. Reports documented 360 degree feedback on employees of the Organisation’s clients, based on evaluation by their subordinates, supervisors and/or peers. The feedback included character qualities, for example whether they were considered fair, honest, reliable and trusted, demonstrated professional behaviour at all times or had good technical knowledge. Each of these character qualities was given an average rating from a scale of 1 to 10, with 9-10 being an exceptional strength and 1-2 being below expectations. These Reports comprehensively set out such information for each named individual employee of the Organisation’s clients. There is also a section which provides verbatim comments from respondents (e.g. “handle more complex responsibilities”, “slower support”). Some of the Reports also included individual employees’ qualities, such as leadership, integrity, decision-making, initiative, and professional disposition, ranked against their colleagues. 2 3 On 10 July 2017, the Personal Data Protection Commission (the “Commission”) received complaints from 3 individuals (the “Complainants”) alleging that w… | Financial Penalty | 1020 | { "sum": 90000, "max": 90000 } |
69 | 145edd327427e0770f476523541dbfc405ac4972 | A financial penalty of $9,000 was imposed on Iapps for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of some users of the ActiveSG mobile application. | [ "Protection", "Financial Penalty", "Information and Communications", "Code deployment", "Wrong Environment" ] |
11 Mar 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Iapps-Pte-Ltd---10022021.pdf | Protection | Breach of the Protection Obligation by Iapps | https://www.pdpc.gov.sg/all-commissions-decisions/2021/03/breach-of-the-protection-obligation-by-iapps | 2021-03-11 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 1 Case No DP-1903-B3441 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Iapps Pte Ltd. … Organisation DECISION Iapps Pte Ltd [2021] SGPDPC 1 Lew Chuen Hong, Commissioner — Case No DP-1903-B3441 10 February 2021 Introduction 1 On 1 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to potential unauthorised disclosure of his personal data through the ActiveSG mobile application (the “ActiveSG App”). The Complainant’s concerns arose because he was able to view another individual’s personal data when he logged into his child’s supplementary account on the ActiveSG App (the “Incident”) Facts of the Case 2 ActiveSG is a national movement for sports coordinated by Sport Singapore,1 a statutory board of the Ministry of Culture, Community and Youth. Iapps Pte Ltd (the “Organisation”) is a financial technology company specialising in mobile application development and marketing. Sport Singapore engaged the Organisation to develop, deploy and operate the Super Sports Club Membership Management System (“SSCMMS”). The functions of SSCMMS included membership registration, and the ActiveSG App was a component of 1 Sport Singapore was formerly known as Singapore Sports Council. Iapps Pte Ltd [2020] SGPDPC 1 the SSCMMS. Members of ActiveSG could use the ActiveSG App to book sport facilities, register for fitness classes and purchase entry passes to ActiveSG sport centres. 3 Sport Singapore is the owner of the SSCMMS and ActiveSG App. Pursuant to the written contract between the Organisation and Sport Singapore, the Organisation’s scope of work included providing and operating the production server for the ActiveSG app. The Organisation also developed, deployed and operated the SSCMMS (including the ActiveSG App). 4 On 1 March 2019, the Organisation’s engineer developed a security code fix for the ActiveSG App. The securi… | Financial Penalty | 1020 | { "sum": 20000, "max": 11000 } |
70 | 23aacc7ee662ff2874fba89bfb10d27f872f762c | A financial penalty of $5,000 was imposed on BLS International Services Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of the personal data of individuals who had submitted a booking for an appointment on its website. | [ "Protection", "Financial Penalty", "Information and Communications", "Inadequate scoping of testing", "URL manipulation" ] |
14 Jan 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---BLS-International-Services-Singapore-Pte,-d-,-Ltd,-d-,-30112020-(003).pdf | Protection | Breach of the Protection Obligation by BLS International Services Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/breach-of-the-protection-obligation-by-bls-international-services-singapore | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6563 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And BLS International Services Singapore Pte. Ltd. SUMMARY OF THE DECISION 1. BLS International Services Singapore Pte. Ltd. (the “Organisation”) provides government-to-citizen services for the High Commission of India in Singapore, such as visa and consular services. 2. On 7 July 2020, the Personal Data Protection Commission (the “Commission”) received information that the URLs of the printable version of appointment booking confirmation webpages could be manipulated to access other individuals’ personal data (the “Incident”). The personal data comprised the individual’s name, passport number, contact number, email address, type of service request, booking date/time, appointment date/time, and number of booking applications. 3. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the “PDPA”). 4. Investigations revealed that on 8 June 2020, which was about a month prior to the Incident, the Organisation had implemented a new booking system for the High Commission of India. Under this new booking system, users who submitted a booking for an appointment at the High Commission of India would be provided with an URL, which led to a printable version of the booking confirmation. In designing the booking system, the Organisation had intended for the URLs to be encrypted. This would have made it more difficult for people to manipulate the URL. However, the encryption was not done properly due to a coding error. Although the Organisation had conducted some testing on the new booking system, the testing was not extensive enough to detect the error. 5. Upon realising the occurrence o… | Financial Penalty | 1020 | { "sum": 5000, "max": 5000 } |
71 | 42bcd4e931081b38863323f11f5d06ccb23dd661 | A financial penalty of $9,000 was imposed on The Future of Cooking for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of its customers’ personal data on its website. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade", "Data Intermediary", "Protection", "Security" ] |
14 Jan 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---The-Future-of-Cooking-Pte-Ltd-20112020-(003).pdf | Protection | Breach of the Protection Obligation by The Future of Cooking | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/breach-of-the-protection-obligation-by-the-future-of-cooking | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2001-B5620 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Future of Cooking Pte. Ltd. SUMMARY OF THE DECISION 1. The Future of Cooking Pte. Ltd. (the “TFC”) operates an e-commerce website at https://www.thermomix.com.sg (the “Website”), retailing kitchen appliances and accessories. 2. On 3 January 2020, the Personal Data Protection Commission (the “Commission”) received a complaint that a text file (the “File”) containing personal data was accessible via the URL: https://thermomix.com.sg/wp-content/uploads/2019/10/woocommerce-orderexport-1.csv-1.txt. (the “Incident”). 3. The File contained the personal data of 178 unique individuals who had purchased items from the Website. The File was accessible via the URL from 1 October 2019 until 6 January 2020. It contained the following types of personal data (the “Personal Data”): a. Name; b. Email Address; c. Billing Address; d. Shipping Address; e. Customer Notes (e.g. delivery instructions); f. Order information (such as payment status, mode of payment, and transaction ID); g. Product ID of items; h. Quantity of items ordered; and i. Telephone number. The Commission’s Findings No breach by Hachi as a Data Intermediary 4. TFC had engaged Hachi Web Solutions Pte. Ltd. (“Hachi”) to re-design the Website and also perform data backup and migration. Insofar as the data backup and migration activities are concerned, Hachi was TFC’s data intermediary. The cause of the breach, however, did not relate to the data processing activities but to the Website re-design. Therefore, Hachi was not in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”) by virtue of its role as a data intermediary. TFC in breach of the Protection Obligation 5. The cause of the data breach may be traced to a WordPress plugin (the “Plugin”) which was installed on the Website. The Plugin contained a bug which caused the File to be generated and u… | Financial Penalty | 1020 | { "sum": 9000, "max": 9000 } |
72 | aeaf91b96eb3a5722d38db9cad07c3db7da0ea69 | Singapore Technologies Engineering was found not in breach of the PDPA in relation to the transfer of the personal data of its Singapore-based employees to its subsidiaries based in United States. | [ "Transfer Limitation", "Not in Breach", "Manufacturing", "Ransomware" ] |
14 Jan 2021 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----ST-Engineering-Ltd---16112020.pdf | Transfer Limitation | No Breach of the Transfer Limitation Obligation by Singapore Technologies Engineering | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/no-breach-of-the-transfer-limitation-obligation-by-singapore-technologies-engineering | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 21 Case No. DP-2006-B6426 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Technologies Engineering Limited … Organisation DECISION Singapore Technologies Engineering Limited [2020] SGPDPC 21 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6426 16 November 2020 Introduction 1 On 10 June 2020, Singapore Technologies Engineering Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that its subsidiary based in the United States of America (“USA”), VT San Antonio Aerospace Inc. (“VT SAA”), had discovered a cybersecurity incident where threat actors gained unauthorised access to VT SAA’s US-based IT network and deployed a ransomware attack (the “Incident”). Facts of the Case 2 The Organisation is a Singapore incorporated company with a network of subsidiaries in Asia, Europe, USA and the Middle East. The ransomware attack was isolated to a limited part of VT SAA’s network, but also affected a few of the Organisation’s subsidiaries based in the USA that were using IT shared services provided by VT SAA. The Organisation’s IT network in Singapore was not compromised during the Incident. However, the following types of personal data belonging to 287 individuals in Singapore (“Affected 1 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Individuals”) were potentially exposed to the risk of unauthorised access (collectively, the “Personal Data Sets”)1: (a) Name; (b) Address; (c) Email address; (d) Telephone number; (e) NRIC number and date of issue; (f) Passport details; (g) Photograph; (h) Date of birth; (i) Citizenship; (j) Country of residence; (k) Place of birth; (l) USA Social Security number; (m) USA visa information; (n) Details regarding government or military service, where applicable; (o) CV information; (p) Foreign identification numbers; … | Not in Breach | 1020 | { "sum": 0, "max": 0 } |
73 | 1f5d87178271813e058c25230ad61dd756757951 | A warning was issued to Water + Plants Lab for failing to put in place reasonable security arrangements to protect the personal data of its employees. The incident resulted in the personal data being subjected to a ransomware attack. | [ "Protection", "Warning", "Scientific and Technical", "Ransomware", "No Security Arrangements", "No Patching" ] |
18 Dec 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Water--Plants-Lab-Pte-Ltd--181120.pdf | Protection | Breach of the Protection Obligation by Water + Plants Lab | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-protection-obligation-by-water--plants-lab | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6182 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Water + Plants Lab Pte. Ltd. SUMMARY OF THE DECISION 1. On 9 April 2020, Water + Plants Lab Pte. Ltd. (the “Organisation”) informed the Personal Data Protection Commission of a ransomware infection that rendered the Organisation’s server (the “Server”) inaccessible to the Organisation (the “Incident”). 2. The Incident occurred on or around 30 March 2020. Personal data of 28 employees were encrypted by the ransomware. The personal data affected included the employees’ name, NRIC/FIN/Work Permit number, address, date of birth, mobile number and photograph. 3. Investigations revealed that an employee from the Organisation had downloaded and opened an email attachment that contained ransomware. At the time of the Incident, the Organisation had some security measures in place, for example, it had anti-virus protection, and access rights and password control for the Server. It also had a good practice of performing regular backup of its Server, and most of the data was successfully restored from an external backup. The Organisation therefore suffered minimal data loss as a result of the Incident. 4. However, as admitted by the Organisation, it had not carried out any patching and security scanning of the Server in the 12 months preceding the Incident. Patching and regular security scanning are important security measures to prevent vulnerabilities in an organisation’s ICT systems which a hacker may exploit in compromising personal data. For this reason, the Deputy Commissioner for Personal Data Protection found that the Organisation had failed to protect the personal data in its possession or under its control, in breach of section 24 of the Personal Data Protection Act 2012. 5. Following the Incident, the Organisation installed a firewall with greater capabilities to protect the Organisation against external threats, for example, possessing deeper c… | Warning | 1020 | { "sum": 0, "max": 0 } |
74 | ba111f2801e651899c15f7fc2ec1eaccffc98504 | A warning was issued to R.I.S.E Aerospace for failing to put in place reasonable security arrangements to protect the personal data of its employees from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack. | [ "Protection", "Warning", "Manufacturing", "Ransomware", "No Security Arrangements", "IT security policies" ] |
18 Dec 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---RISE-Aerospace-Pte-Ltd---131120.pdf | Protection | Breach of the Protection Obligation by R.I.S.E Aerospace | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-protection-obligation-by-rise-aerospace | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6832 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And R.I.S.E Aerospace Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2020, R.I.S.E Aerospace Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware infection that had rendered its network storage server inaccessible to the Organisation (the “Incident”). 2. The Incident occurred on or about 23 August 2020. Personal data of 21 employees were encrypted by the ransomware. The personal data encrypted included the name, address, contact number, NRIC number, Work Permit details, passport details. redacted bank account numbers, and child’s date of birth. 3. Investigations revealed that the Organisation had not implemented adequate technical security arrangements to protect the personal data in its possession or control, in particular, the Organisation did not carry out any security scans or perform updates to the server firmware despite being prompted to do so by the device manufacturer. In addition, the Organisation did not put in place any documented form of IT Security policies such as its password policy, policies for patching and updating of the company server etc. These failings had resulted in a system that had vulnerabilities which a hacker could exploit by injecting ransomware into the server. 4. Following the Incident, the Organisation had since discontinued the use of its network storage server and to opt for cloud storage instead. Additionally, the Organisation also decided to encrypt all its sensitive data and only store them on offline devices. 5. In the circumstances, the Deputy Commissioner for Personal Data Protection finds the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”) and took into account the following factors in deciding to issue a Warning to the Organisation. a. The low number of affected indivi… | Warning | 1020 | { "sum": 0, "max": 0 } |
75 | 68320b9161ff64b8a6a5a30b69f4a1aae5bd7f78 | A financial penalty of $8,000 was imposed on Hello Travel for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure. | [ "Protection", "Financial Penalty", "Information and Communications", "Expedited", "Exploitation", "Vulnerability" ] |
18 Dec 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Hello-Travel-Pte-Ltd---301020.pdf | Protection | Breach of Protection Obligation by Hello Travel | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-protection-obligation-by-hello-travel | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6189 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Hello Travel Pte. Ltd. SUMMARY OF THE DECISION 1. On 8 April 2020, the Personal Data Protection Commission (the “Commission”) received information that a database belonging to Hello Travel Pte Ltd (the “Organisation”) was posted on an internet forum and was thus made publicly available (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the “PDPA”). 3. The compromised database contained the personal data of approximately 71,002 users who had created accounts at the Organisation’s website (www.havehalalwilltravel.com) from February 2015 to July 2018. The disclosed personal data included their name, email address, date of birth, nationality and phone number. The table below summarises the number of affected individuals for each corresponding type of personal data disclosed: S/N Type of Personal Data Number of Individuals Affected 4. 1 Name 71,002 2 Email Address 57,693 3 Phone Number 453 4 Date of Birth 946 5 Nationality 20,754 The Organisation’s internal investigations pointed to a possible hack as the cause of the Incident. Sometime in year 2018, the server instance which hosted the Organisation’s website and the database became corrupted and unusable after the installation of a free open source wordpress plugin. The Organisation believed that unknown parties could have exploited vulnerabilities of the installed plugin at that time and exfiltrated the database. 5. The Organisation admitted that it did not give due attention to personal data protection and had neglected to put in place basic procedural and technical security a… | Financial Penalty | 1020 | { "sum": 8000, "max": 8000 } |
76 | 287853f282957f48d6f1686c4b9a4be073110445 | Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA. | [ "Accountability", "Protection", "Directions", "Construction", "No Policy", "Ransomware" ] |
18 Dec 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 20 Case No. DP-1908-B4369 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Everlast Projects Pte Ltd (2) Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd … Organisations DECISION Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369 30 October 2020 Introduction 1 On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the Personal Data Protection Commission (“Commission”) that its server (“Server”) had been hacked and all the files within it were encrypted by ransomware sometime in August 2019 (the “Incident”). Facts of the Case 2 EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd (“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of architectural metal works, glass and aluminium products. The Organisations are owned by the same shareholder, managed by the same directors, and operate from common premises. Two of the Organisations also have a common name, “Everlast”. The Organisations operated like a group of companies and centralised their payroll processing, such that the human resources (“HR”) department of EPPL was in charge of processing payrolls of not only its own employees, but also the employees of EIPL and ESPL. The Organisations’ employees’ personal data were stored in the Server, which was owned and maintained by EPPL. 3 On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite physical backup and a secondary cloud backup of the contents of the Server. The physical backup was affected by the ransomware and rendered unusable. A total of 384 individuals were affected by the Incident (the “Affected Employees”): 2 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Name of Organisation Number of employees affected EPPL 141 EIPL 239 ESPL 4 Total number of individuals 384 4 T… | Directions | 1020 | { "sum": 0, "max": 0 } |
77 | 174141b579c45e8bebae3cb5bb63bd4451afb1c6 | A financial penalty of $4,000 was imposed on Novelship for failing to put in place reasonable security arrangements to protect the personal data collected from its sellers from unauthorised access on its website. | [ "Protection", "Financial Penalty", "Wholesale and Retail Trade", "Public access", "URL manipulation", "No Security Arrangements" ] |
24 Nov 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Novelship-Pte-Ltd---22072020.pdf | Protection | Breach of the Protection Obligation by Novelship | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-obligation-by-novelship | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1905-B3820 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Novelship Pte. Ltd. SUMMARY OF THE DECISION 1. Novelship Pte. Ltd. (the “Organisation”) operates an e-commerce website for individuals to sell or buy luxury brands of streetwear (the “Website”). To create a buyer or seller account on the Website, individuals would have to provide their personal data to the Organisation. The Organisation does not, in usual course, reveal the personal data it had collected to any buyer or seller transacting on the Website. Instead, the Organisation, together with an external payment processor, facilitates transaction payments on behalf of the parties. 2. On 1 May 2019, the Personal Data Protection Commission (the “Commission”) received information that a registered seller (“User”) was able to gain unauthorised access to the personal data of other sellers by employing software tools and manipulating the public URLs of active listings (“the “Incident”). 3. The User had accessed the personal data of six unique sellers who had active listings at the time of the Incident. The personal data concerned included: (i) first and last names; (ii) email addresses; (iii) shipping addresses; (iv) hashed account passwords; and (v) the name of bank and bank account numbers (“Personal Data Sets”). No buyer data was accessed in the Incident. 4. Investigations revealed that the Organisation had not conducted adequate security testing before the launch of the Website. The testing it had conducted was limited to design and functionality issues, such as verifying the password hashing and password requirement functions. Critically, the Organisation should have—but had not—conducted vulnerability scanning. Vulnerability scanning that is reasonably and competently conducted should include scanning for OWASP Top Ten, i.e. the top 10 security vulnerabilities listed by the Open Web Application Security Project (“OWASP”). The vulnerability of URLs … | Financial Penalty | 1020 | { "sum": 4000, "max": 4000 } |
78 | e3cc509b8373a998663ad9d2f61a4b449ec04219 | A financial penalty of $5,000 was imposed on Worksmartly for breaches of the PDPA. First, the Organisation failed to put in place reasonable security arrangements to protect the personal data of its client’s employees. Second, it was also found to be retaining personal data which was no longer necessary for legal or business purposes. | [ "Protection", "Retention Limitation", "Financial Penalty", "Admin and Support Services", "Database", "Public access", "Retention" ] |
24 Nov 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----Worksmartly-Pte-Ltd---17092020.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Limitation Obligations by Worksmartly | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-and-retention-limitation-obligations-by-worksmartly | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6162 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Worksmartly Pte. Ltd. SUMMARY OF THE DECISION 1. On 2 April 2020, Roche Singapore Pte Ltd (“Roche”) informed the Personal Data Protection Commission (the “Commission”) of a data security incident involving its former vendor, Worksmartly Pte. Ltd. (the “Organisation”). Roche had detected an unauthorised disclosure of their employees’ data on GitHub repository (“GitHub”) on 3 March 2020 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of sections 24 and 25 of the Personal Data Protection Act (the “PDPA”). Background 3. The Organisation was engaged by Roche in 2017 to provide finance and payroll processing services. In order for the Organisation to provide the said services, Roche handed over its employees’ personal data to the Organisation. The contract between the parties was subsequently terminated, and the Organisation’s last day of service was 31 December 2018. The Incident 4. On or around 28 February 2020, one of the Organisation’s employees uploaded a file on the Organisation’s GitHub account (the “File”). When doing so, the employee changed the setting of the GitHub account from “private” to “public” under the mistaken belief that the File would only be accessible to other members of the Organisation. In fact, the change in setting had resulted in the File being accessible to the public. 5. The File contained the personal data of 308 individuals, which comprised Roche’s current and former employees (the “Employees”), and their dependents (the “Dependents”). The personal data included: a. For the Employees: name, NRIC/FIN/Passport number, address, date of birth, race, citizenship, employee I… | Financial Penalty | 1020 | { "sum": 5000, "max": 5000 } |
79 | 85e393c7a40dd74c990b9da33684eb6376e5abe1 | A financial penalty of $20,000 was imposed on Times Software, a data intermediary, for: (i) failing to make reasonable security arrangements to prevent the unauthorised disclosure of personal data belonging to the employees of its clients; and (ii) retaining personal data which was no longer necessary for legal or business purposes. Separately, Dentons and TMF were each issued a warning for failing to put in place reasonable security arrangements with Times Software to prevent unauthorised disclosure of the personal data belonging to their employees. | [ "Protection", "Retention Limitation", "Financial Penalty", "Legal", "Data Intermediary", "Functionality", "Software" ] |
24 Nov 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Times-and-Others---18062020.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Limitation Obligations by Times Software, Breach of the Protection Obligation by Dentons and TMF | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-and-retention-limitation-obligations-by-times-software-breach-of-the-protection-obligation-by-dentons-and-tmf | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 18 Case Nos.: DP-1802-B1719, DP-1802-B1744, DP-1803-B1834, DP-1804-B1942, DP-1804-B1943 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Times Software Pte Ltd (2) Dentons Rodyk & Davidson LLP (3) Liberty Specialty Markets Singapore Pte Limited (4) Red Hat Asia Pacific Pte Ltd (5) TMF Singapore H Pte Ltd … Organisations DECISION Times Software Pte Ltd & Ors [2020] SGPDPC 18 Tan Kiat How, Commissioner — Case Nos. DP-1802-B1719, DP-1802-B1744, DP1803-B1834, DP-1804-B1942, DP-1804-B1943 18 June 2020 Introduction 1 Times Software Pte Ltd (“Times”) is an information technology services vendor that provides various services to its clients. Between January and February 2018, three organisations which directly or indirectly used Times’ services became aware that the personal data of some their current and former employees (the “Employee Data”) had been exposed online from Times’ servers and could be found using the Google search engine (the “Incident”). These three organisations were Dentons Rodyk & Davidson LLP (“Dentons”), Red Hat Asia Pacific Pte Ltd (“Red Hat”) and Liberty Specialty Markets Singapore Pte Limited (“LIU”). Each of these organisations submitted a data breach notification to the Personal Data Protection Commission (the “Commission”) after the Incident. The Facts The Relationship between the Parties and how Times had obtained the Employee Data 2 Dentons had, since 2001, engaged Times to use a payroll software application developed by Times (the “Payroll Software”). The Payroll Software was hosted internally on Dentons’ servers. In or around November 2015, Dentons commissioned the development of a new functionality of the Payroll Software which would enable 1 Times Software Pte Ltd & Ors 2020 SGPDPC [18] Dentons to create customised employee reports. Dentons provided their Employee Data to Times to test this functionality. 3 In December 2015 and February 2016, Red Hat and LIU respective… | Financial Penalty | 1020 | { "sum": 20000, "max": 20000 } |
80 | f2d23cdd6240945ddbc8bc0179e23d832bc9bce3 | A financial penalty of $120,000 was imposed on Secur Solutions Group for failing to put in place reasonable security arrangements to protect a database containing the personal data of blood donors from being publicly accessible online. | [ "Protection", "Financial Penalty", "Professional", "Scientific and Technical", "Database", "Gaps", "Public access" ] |
24 Nov 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Secur-Solutions-Group-Pte-Ltd---30032020.pdf | Protection | Breach of the Protection Obligation by Secur Solutions Group | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-obligation-by-secur-solutions-group | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 8 Case No DP-1903-B3501 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Secur Solutions Group Pte Ltd … Organisation DECISION Secur Solutions Group Pte Ltd [2020] SGPDPC 8 Secur Solutions Group Pte Ltd [2020] SGPDPC 8 Tan Kiat How, Commissioner — Case No DP-1903-B3501 30 March 2020 Introduction 1 This case relates to an incident where one of Secur Solutions Group Pte Ltd’s (the “Organisation”) servers, which stored a database (the “Database”) containing personal data of blood donors, was discovered to be accessible from the internet (the “Incident”). 2 The Personal Data Protection Commission (the “Commission”) received a formal request from the Organisation requesting for this matter to be handled under the Commission’s Expedited Breach Decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts as set out in this Decision and that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 2 Secur Solutions Group Pte Ltd [2020] SGPDPC 8 Facts of the Case 3 The Organisation has been engaged by the Health Sciences Authority (“HSA”) since 2013 to develop and maintain various IT systems. One of the projects for which the Organisation was engaged was the development, maintenance and enhancement of its queue management system (“ QMS”) for blood donors (the “QMS Engagement”). Pursuant to the QMS Engagement, HSA provided the Organisation with files containing copies (in part or otherwise) of the Database (“Files”) for the purposes of testing and developing the QMS. HSA would also provide the Organisation with copies or updates of the Database (“Updates”) from time to time during the period of the QMS Engagement (hereinafter, the use of the phrase “Files” will include “Updates”, unless the context specifies otherwise). 4 The Organisation stored the Files in a storage server that was designated for the purposes of testing a… | Financial Penalty | 1020 | { "sum": 120000, "max": 120000 } |
81 | 0865fec6bd2ed94c47049e5c227e0a51dd805dfa | Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA. | [ "Protection", "Accountability", "Directions", "Financial Penalty", "Others", "Consent", "No DPO", "No Policy" ] |
24 Nov 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf | Protection, Accountability | Breach of the Consent and Accountability Obligations by Majestic Debt Recovery | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 7 Case No DP-1903-B3570 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Majestic Debt Recovery Pte Ltd … Organisation DECISION 1 Majestic Debt Recovery Pte Ltd [2020] SGPDPC 7 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570 2 March 2020 Introduction 1 This case concerns a debt collection company’s posting of a video recording on social media as a tactic to shame a debtor. The recordings in question captured exchanges between the company’s representative and staff of the debtor company. Facts of the Case 2 Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from the managing director (the “Complainant”) of a debtor company (the “Company”) stating that the Organisation had been engaged by the Company’s sub-contractor to recover debts from the Company. The Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the “Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the “Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company’s personnel, including the Complainant (the “Recording”), on a tablet device. The Complainant and the Company’s personnel could be identified from the images and audio captured by the Recording. According to the Complainant, he “protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it”. The Representatives nonetheless took the Recording and subsequently posted it on the Organisation’s official public Facebook page (its “Facebook Page”). 2 3 During its investigation, the Commission found other… | Directions, Financial Penalty | 1020 | { "sum": 7500, "max": 7500 } |
82 | 9142eb214cc89b31afa254896e3029cbada0e2ce | Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings. | [ "Protection", "Directions", "Others", "Text messages", "Mobile numbers", "Protection" ] |
16 Oct 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Security-Masters-Pte-Ltd---21072020.pdf | Protection | Breach of the Protection Obligation by Security Masters | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-security-masters | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2002- B5875 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Security Masters Pte Ltd SUMMARY OF THE DECISION 1. On 17 February 2020, Security Masters Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a security employee had used the mobile phone numbers of eight building visitors to contact them to request their return of visitor passes and send them Chinese New Year greetings. 2. Investigation found that the Organisation did not put in place any standard operating procedure or guidelines for the retrieval and use of visitors’ personal data prior to the incident. This gap in security arrangements allowed the incident to occur. 3. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. 4. Following the incident, the Organisation restricted access to personal data to senior personnel and required all security personnel to sign an undertaking not to contact visitors in their personal capacity. However, structured training is needed to help its security personnel understand the importance of protecting the personal data they handled daily in their duties, such as National Registration Identification Card numbers, photographs and closed-circuit television footage. 5. On the above consideration, the Deputy Commissioner for Personal Data Protection hereby directs the Organisation to: a) Within 60 days from the date of the direction, revise its training curriculum to ensure that its security personnel understand i. the rationale for personal data protection; ii. the importance of consent and authorisation in the handling of personal data; and iii. the circumstances in which… | Directions | 1020 | { "sum": 0, "max": 0 } |
83 | 76c540a233ccd1547032d82863fb7200fec50ed2 | A warning was issued to Interauct! for retaining personal data which was no longer necessary for legal or business purposes. | [ "Retention Limitation", "Warning", "Others", "Backup files", "Server migration" ] |
16 Oct 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Interauct-Pte-Ltd---04082020.pdf | Retention Limitation | Breach of the Retention Limitation Obligation by Interauct! | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-retention-obligation-by-interauct | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1911-B5268 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Interauct! Pte Ltd SUMMARY OF THE DECISION 1. Interauct! Pte Ltd (the “Organisation”) operated an online mobile number auction (the “Auction”) for a telecommunications provider (the “Telco”). This arrangement started in the year 2000 and ended in 2018. 2. In November 2019, the Commission was informed that the Telco’s cybersecurity team had located an internet sub-domain containing files with the personal data of individuals who had participated in the Auction (the “Files”). The Files contained the following types of personal data: a. Name; b. ID (such as passport or NRIC number); c. Mobile number; d. Address; e. Date of birth; and f. Email address. 3. The Commission’s investigations revealed the following: a. The Organisation had engaged a vendor to provide web hosting services for the Auction. In 2012 and 2016, the vendor conducted server migration exercises. On both occasions, the Organisation created backups of the Files prior to server migration exercises and uploaded them on the vendor’s servers. The Organisation did not delete the Files after the server migration were completed; b. In April 2019, the vendor misconfigured its servers. As a result, the Files became accessible on the internet sub-domain. However, to access this sub-domain requires an individual to key in either one of two URLs exactly. Both URLs were complex and lengthy. It was therefore difficult for an individual to determine the URLs exactly to enter the sub-domain. Indeed, an examination of server logs found that only the Telco had accessed the sub-domain; c. The Files contained a mix of individuals’ personal data, as well as dummy data used for testing purposes. An analysis of the Files showed that there were approximately 8,750 individuals’ personal data contained in them. The Telco compared the data with its customer records, and via a reconciliation process, was able to ide… | Warning | 1020 | { "sum": 0, "max": 0 } |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE [pdpc_decisions] ( [_id] INTEGER PRIMARY KEY, [_item_id] TEXT , [description] TEXT, [tags] TEXT, [date] TEXT, [pdf-url] TEXT, [nature] TEXT, [title] TEXT, [url] TEXT, [timestamp] TEXT, [pdf-content] TEXT, [decision] TEXT, [_commit] INTEGER, `financial_penalties` TEXT); CREATE UNIQUE INDEX [idx_pdpc_decisions__item_id] ON [pdpc_decisions] ([_item_id]);