pdpc_decisions: 64

Data source: pdpc.gov.sg/All-Commissions-Decisions

This data as json

_id _item_id description tags date pdf-url nature title url timestamp pdf-content decision _commit financial_penalties
64 d6982844d4ff30b7cfe7dc299c0f7ecde531463f A warning was issued to Flying Cape, a data intermediary, for failing to put in place reasonable security arrangements to protect the personal data of 191 users of a website. Flying Cape was managing the website on behalf of its client. 
[
    "Protection",
    "Warning",
    "Information and Communications",
    "Ransomware",
    "Data Intermediary",
    "Online Storage Bucket"
]
 15 Apr 2021 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Flying-Cape-Pte-Ltd---17032021.pdf Protection Breach of the Protection Obligation by Flying Cape https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-flying-cape 2021-04-15 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7385 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Flying Cape Pte Ltd (2) ACCA Singapore Pte Ltd SUMMARY OF THE DECISION 1. Sometime between 25 September 2020 to 5 October 2020, the personal data of 191 users (the “Affected Individuals”) of www.accapdhub.com (the “Website”) was exfiltrated by an unauthorised party (the “Incident”).The exfiltrated personal data comprised of the names, email addresses and contact numbers of the Affected Individuals (“the Exfiltrated Data”). 2. The Website was owned by ACCA Singapore Pte Ltd (“ACCA”), but hosted, managed, and operated by Flying Cape Pte Ltd (“FCPL”) as ACCA’s data intermediary. FCPL notified the Personal Data Protection Commission (the “Commission”) of the Incident on 12 November 2020, after having received a ransom demand in respect of the Exfiltrated Data. 3. Sometime in early September 2020, as part of its management of the Website, FCPL extracted the personal data of the Affected Individuals from the database of the Website into an excel file. An FCPL employee who was assigned to work with the excel file failed to protect the file with a password or encrypt it as required by FCPL’s IT policy. Moreover, the employee incorrectly stored the excel file in a publicly accessible online storage bucket, as opposed to the correct, secured storage bucket. These lapses were believed to have led to the Incident. 4. Pursuant to section 53(1) of the PDPA, FCPL is liable for acts done by employees. The question therefore becomes whether FCPL had taken reasonable steps to prevent or detect mistakes such as the one made by the employee. The investigations did not surface any arrangements to supervise or verify its employees’ compliance with its internal policies or detect non-compliance. The Deputy Commissioner for Personal Data Protection therefore found that FCPL had breached the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”) in respect of the Exfiltrated Data. 5. As the data controller and owner of the Website, ACCA owed the Protection Obligation in respect of the Exfiltrated Data as well. The Deputy Commissioner is satisfied that ACCA discharged this obligation by (i) carrying out a due diligence assessment of FCPL’s data protection policies and practices before their engagement, and (ii) by stipulating data protection requirements in its contract when engaging with FCPL. 6. Taking into account the circumstances of the case, and in particular the factors below, the Deputy Commissioner for Personal Data Protection found ACCA not in breach of the PDPA and decided to issue a Warning to FCPL: a. The number of the Affected Individuals was low; b. The Exfiltrated Data was of a low sensitivity; c. FCPL took immediate remedial actions to prevent the occurrence of a similar incident; and d. FCPL voluntary notified the Commission of the Incident. 7. In view of the remedial actions taken by FCPL, no directions were issued. Warning 1020 
{
    "sum": 0,
    "max": 0
}

Links from other tables