pdpc_decisions_version: 87
This data as json
_id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
87 | 87 | 1 | 1016 | A warning was issued to Horizon Fast Ferry for failing to put in place reasonable security arrangements to protect the personal data in the Organisation’s email account. | [ "Protection", "Warning", "Others", "Password policy", "Email account", "Phishing" ] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----Horizon-Fast-Ferry-Pte-Ltd---27082020.pdf | Protection | Breach of the Protection Obligation by Horizon Fast Ferry | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-horizon-fast-ferry | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1912-B5465 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (“Commission”) investigated a complaint against Horizon Fast Ferry Pte. Ltd. (the “Organisation”) where the Organisation’s email account, [email protected] (the “Email Account”) had sent out phishing emails to its customers (the “Incident”). 2. Investigations revealed that the computer used to access the Email Account was infected with malware. This caused the Email Account to send phishng emails to three customers. Each email contained only the personal data that the customer himself had sent to the Email Account to book ferry tickets. Hence there was no disclosure of other customers’ personal data in the phishing email. 3. The Organisation informed the Commission that it had implemented various security measures prior to the Incident such as updating their anti-virus software regularly. However, investigations revealed that the password to access the Email Account was shared by 11 employees of the Organisation and had not been changed for almost 3 years. This poor management of passwords fell short of what is reasonably required to protect the personal data in the Email Account. 4. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 for failing to implement reasonable security arrangements to protect the personal data in its possession or under its control. Upon consideration of the facts, a warning was issued to the Organisation. | Warning | a9f0d524ae6cbf14f4db5cdf1e0ccba42e45b1e0 |
Links from other tables
- 10 rows from item_version in pdpc_decisions_changed