pdpc_decisions_version: 57
This data as json
_id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
57 | 57 | 1 | 1016 | Singapore Telecommunications Limited was found not in breach of the PDPA in relation to an incident which occurred on or about 13 July 2020 where a threat actor accessed the accounts belonging to 17 subscribers. | [ "Not in Breach", "Information and Communications", "Phishing" ] |
2021-08-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunications-Limited---21062021.pdf | No Breach of the Protection Obligation by Singapore Telecommunications Limited | https://www.pdpc.gov.sg/all-commissions-decisions/2021/08/no-breach-of-the-protection-obligation-by-singapore-telecommunications-limited | 2021-08-12 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6607 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited SUMMARY OF THE DECISION 1. On 15 July 2020, Singapore Telecommunications Limited (the “Organisation”) informed the Personal Data Protection Commission of an incident which had occurred on or about 13 July 2020 (the “Incident”). In the Incident, a threat actor accessed the accounts of 17 of the Organisation’s telecommunications service subscribers to request for issuance of new SIM cards, forwarding of voice calls and/or cessation of mobile services 1 . Once these were issued, the affected subscribers were unable to access to their own accounts. 2. The Organisation investigations indicated that the Incident was due to threat actor(s) who gained access to its IT systems through coordinated social engineering tactics targeted at staff. The threat actor(s)’ aim was to use compromised staff accounts to gain control of subscriber accounts of the affected individuals to perform unauthorised activities. 3. The Organisation also made reports to IMDA under the Telecoms Act and the Singapore Police Force (“SPF”). 4. The Organisation’s investigations found no evidence that the integrity of its affected IT systems had been compromised or that any data had been exfiltrated from the systems at the time of the Incident, the Organisation had in place reasonable security arrangements that included the following: a. Password requirements in security policies, standards and guidelines were aligned to industry best practices; 1 Singtel stated that the threat actor could have also accessed the records of an additional 15 subscribers. b. Systems and network enhancements were continually implemented to improve the security of applications and IT infrastructure; c. Comprehensive and annual mandatory training was conducted for all staff in relation to the requirements under the PDPA; and d. Reasonable security measures were in place for the work environment of all staffs based locally and overseas. 5. The Organisation took prompt action to mitigate the effects of the breach by suspending the compromised staff accounts and by password resets. Apart from exclusion from their account for a limited duration, no other loss or damage to any individual was reported from the Incident. Remedial action to prevent recurrence will remain confidential for security reasons. 6. The Deputy Commissioner for Personal Data Protection found that the Organisation had met its Protection Obligation in the circumstances. No enforcement action therefore needs to be taken in relation to the Incident. | Not in Breach | 01a5079b89086159131ed4e343c0e882d01a1e85 |
Links from other tables
- 10 rows from item_version in pdpc_decisions_changed