_id,_item_id,id,organisation,url,timestamp,description,pdf-url,pdf-content,_commit 61,3a286710ac17f10539aee032a26417de126da504,36,Yayasan Mendaki,https://www.pdpc.gov.sg/undertakings/undertaking-by-yayasan-mendaki,2024-04-22,"Background On 27 October 2022, Personal Data Protection Commission (the “Commission”) received a data breach notification from Yayasan Mendaki (the “Organisation”) informing that its on-premises VMWare ESXi servers were encrypted by a ransomware (the “Incident”). As a result of the Incident, the personal data of approximately 72,917 individuals, including their names, NRIC numbers, date of birth, phone numbers, email addresses and bank account details were encrypted and rendered inaccessible. A total of 2.7TB of data was also exfiltrated from YM’s servers but could not be confirmed to have contained any personal data. Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale. Investigation revealed that the Organisation had failed to remove the internet connectivity of a decommissioned web server. The threat actor(s) was believed to have exploited the vulnerabilities of the unpatched web server and then moved laterally to the other servers. Remedial Actions Upon discovering the incident, the Organisation immediately took the following actions: (a) Disconnected the on-premises network from the internet; and (b) Reset all user account passwords and performed a reset of the KRBTGT account. The Organisation also notified all potentially affected individuals of the Incident. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted a voluntary undertaking on 23 May 2023 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (“PDPA”). The Commission accepted the Undertaking after considering that the Organisation is a self-help group targeted at uplifting the Malay/Muslim community in Singapore, and the scale and potential impact of the Incident. Even though the Organisation’s servers and personal data had been encrypted, Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale and if the exfiltrated data contained any personal data. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation and the Commission’s policy of reserving the imposition of a financial penalty only in the most serious instances of a breach of the PDPA. The Organisation also provided a comprehensive Undertaking that sought to rectify the gaps identified during our investigations. As part of the Undertaking, the Organisation decommissioned the entire on-premises network to migrate to a cloud-based network and implemented technical measure such as two-factor authentication, network access via virtual private network and IP restrictions to improve its authentication and access control measures. The Organisation also reviewed and updated all its IT security policies and practices. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---yayasan-mendaki.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2210-C0365 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Yayasan Mendaki (UEN No. 198902633C) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 9 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Yayasan Mendaki ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 9 SCHEDULE A Page 3 of 9 SUMMARY OF FACTS 1. On 27 October 2022, the PDPC was informed that the Organisation’s servers were encrypted by a ransomware attack. Preliminary investigation had revealed that only the on-premises network was affected while the cloud infrastructure was not affected. 2. After conducting forensic investigation, the Organisation discovered that approximately 2.7TB of data had been exfiltrated from a virtual file server. However, the contents of the exfiltrated data could not be determined and none of the exfiltrated data has been published, leaked or put up for sale on the Dark Web. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial actions to address the cause of the personal data breach and notified the potential affected individuals. Page 4 of 9 SCHEDULE B Page 5 of 9 REMEDIATION PLAN BY YAYASAN MENDAKI (“YM’) No. Remediation action Status Target Completion 1 Implement phishing awareness training for all newly onboarded YM staff members as part of YM’s staff onboarding and orientation process. Reviewing and confirming software patches are up to date. Reviewing and updating YM’s firewall policy On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 4 Running software scans on all staff-issued laptops. On going By 31 December 2023 5 Consulting with cybersecurity experts to: (a) Assist with YM’s migration from on-premise servers to cloud servers; (b) Implement and improve cybersecurity on YM’s cloud services and server environment. On going By 31 December 2023 6 Implemented a data export limit/restriction to detect and alert YM if large amounts of data are exported from its servers Restricted access to YM’s servers based on the location of origin of the relevant IP address Implementing Cisco Cloud Email Security as an added layer of YM staff email security Implemented two-factor authentication (with a fresh prompt every 24 hours) on access to YM’s servers and services. Implemented time-specific access restrictions to YM’s cloud servers and services On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 2 3 7 8 9 10 Page 6 of 9 11 12 13 14 15 16 Implemented third party cloud backup for YM’s user accounts and email Disabled permissions for: (a) Connecting unauthorised personal devices to YM’s servers; and (b) Connecting removable storage devices (via USB ports) to staff-issued laptops Reviewing the use of wireless devices with staff-issued laptops. Restricted file sharing between staff members only via YM’s internal Sharepoint platform, and disabling file sharing using other methods/platform To implement virtual private network (VPN) to separate cloud environment from the Internet To update password policy to adopt stronger passwords of at least 12 alphanumeric characters to be in line with CyberSecurity Agency of Singapore’s guidelines On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 Not started By 31 December 2023 Not started By 31 December 2023 Page 7 of 9 SCHEDULE C Page 8 of 9 Case number: DP-2210-C0365 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Yayasan Mendaki (UEN No. 198902633C) … Organisation DECLARATION I refer to the voluntary undertaking dated _________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date _______________________ ________________________ Name Designation Page 9 of 9 ",1013 62,5ae3a7d0c1b80167074b297a77cc883e118cdb40,37,Sunray Woodcraft Construction Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-sunray-woodcraft-construction-pte-ltd,2024-04-22,"Background The Personal Data Protection Commission (the “Commission”) was notified by Sunray Woodcraft Construction Pte. Ltd. (the “Organisation” or “SWCPL”) on 11 May 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data (the “Incident”). Investigations revealed that a malicious actor had utilised a ransomware-as-a-service against SWCPL’s corporate environments, by exploiting vulnerabilities or using compromised credentials. While the exact cause of the breach could not be determined, the malicious actor encrypted the Organisation’s files containing the personal data of 2,130 individuals who were the Organisation’s current or ex-employees or who had previously sought employment with the Organisation. The types of personal data affected included the name, address, NRIC number, passport number, date of birth, contact information, photographs, and payroll information. In addition, for 689 individuals out of the 2130 individuals affected, their personal email address was also affected. Remedial Actions Upon discovery of the Incident, SWCPL had taken prompt remedial actions including tightening the access controls to sensitive system interfaces, updating the latest patches to the firewall, strengthening the firewall rules, resetting the privileged accounts and passwords, and deploying an Endpoint Detection and Response software to continuously monitor end-user devices within its network.  Undertaking Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from SWCPL to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 25 October 2023. As part of the Undertaking, SWCPL implemented the following: (a) Engaged Telstra Singapore for Cyber Detection and Response services to manage and oversee its IT environment; (b) Implemented risk assessments on any changes towards its environment to identify the potential impacts and minimize risks; (c) Transmit and retain logs for 90 days using Telstra’s Security Operations Centre; (d) Deployed a vulnerability scanner to regularly scan assets; (e) Enhanced its backup solution to utilise a secured cloud-based data storage; (f) Keep an inventory of hardware/software assets and user accounts; (g) Implemented a Personal Data Protection policy and an Incident Response plan; (h) Enforced multi-factor authentication for all VPN users; and (i) Implemented Group Policy Object policies to ensure users do not use default usernames and simple passwords, and to enforce account lockouts after several failed login attempts. The Commission was satisfied with the Undertaking proposed by SWCPL and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected SWCPL. SWCPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that SWCPL has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---sunray-woodcraft-construction-pte-ltd.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2305-C1003 In the matter of an investigation under section 50(1) And (1) Sunray Woodcraft Construction Pte Ltd (UEN No. 198703016K) Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and findings set out at Schedule A to this Undertaking. Page 1 of 13 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Sunray Woodcraft Construction Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 13 SCHEDULE A Page 3 of 13 SUMMARY OF FACTS 1. On 11 May 2023, the PDPC was notified by Sunray Woodcraft Construction Pte Ltd SWCPL of a ransomware attack on its servers on or about 25 April 2023 causing loss of access to IT systems and encryption of files with personal data. 2. As a result, the personal data of 2,130 individuals including their names, addresses, personal email addresses (in respect of 689 individuals), telephone numbers, NRIC numbers, passport numbers, photographs, dates of birth, bank account numbers and salary information was affected. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 13 SCHEDULE B Page 5 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) Software in use will be updated to the latest version available. Completed Technical remediation 1 Exploitable vulnerabilities in software used. 2 SWCPL will evaluate December 2023 and thereafter implement/deploy technological measures to ensure that software on all devices is updated as new patches become available. 3 SWCPL will conduct a risk assessment for software that cannot be updated (e.g., because it is needed for compatibility with legacy hardware such as CNC machines / laser cutters), to evaluate vulnerabilities, threats, impacts, mitigation measures, business context, compliance, and risk acceptance to inform decision-making and appropriate prioritization of resources for effective risk management. December 2023 SWCPL will enforce multi-factor authentication for all Completed 4 Lack of enforcement of multi-factor Page 6 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) authentication for virtual private network access. account logins for VPN connections to its IT systems. Inadequate maintenance of security software (e.g. antivirus, firewalls). SWCPL will update all security software to the latest version available, including updating antivirus patterns. Completed 6 SWCPL will evaluate and thereafter implement/deploy technological measures (such as vulnerability scanning engines) to ensure that security software is updated as new patches become available. December 2023 7 SWCPL will conduct a thorough firewall rules review to ensure adequate protection for SWCPL. Any issues identified will be resolved. Completed 5 8 security defense, SWCPL is evaluating and will deploy intrusion detection systems (IDS), intrusion prevention systems (IPS), or endpoint detection and response (EDR) to strengthen its SentinelOne (an EDR) has already been deployed. IDS/IPS will be managed through our Palo Alto firewall, which has already been deployed. Continuous evaluation and fine Page 7 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) cybersecurity profile. SWCPL will also perform continuous evaluation and finetuning of IDS. IPS, and EDR. tuning will be performed as necessary. 9 Use of default usernames for highprivilege accounts. SWCPL will change usernames for highprivileged accounts that are default usernames. Technological policies will be implemented to ensure that default Completed 10 Weak enforcement of secure passwords. SWCPL will strengthen password enforcement by implementing Group Policy Object (GPO) policies that enforce compliance with SWCPL's password policy on complexity, length, and expiry. Completed 11 Account lockout policies SWCPL will enforce automatic account lockout policies which will lockout an account after 5 failed login attempts. Completed 12 On-premises backup SWCPL will evaluate dependency increases and thereafter vulnerability to data loss implement of off-site or unavailability during Evaluation will be completed by November 2023. Actual backups will be Page 8 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) disasters or cyberattacks. back tape backup or cloud-based backup performed as necessary. Implementation of centralized logging capabilities to ensure that system logs are available in the event of a cyber incident. SWCPL will evaluate and thereafter implement systems to retain and adequately secure logs from network devices, local hosts and cloud services, etc for at least 90 days. November 2023 13 Policies / Process Remediation 14 Strengthen incident response plan. SWCPL will draft an November 2023 Incident Response Plan that includes an outline of the scope, incident response methodology, incident response phases, guidelines for the incident response process, and documentation, tracking, and reporting procedures, ensuring a comprehensive and tested approach to addressing information security incidents. 15 Vulnerability testing SWCPL will research available vulnerability testing solutions to conduct a suitable penetration test after the abovementioned steps. Research on vulnerability testing solutions will be completed by November 2023. Penetration testing will Page 9 of 13 No. Potential Risk Factors / Improvement Areas 16 Implementing asset management actions to ensure that information assets are available and accurate. Remediation Plan Target Completion (Date) SWCPL will also implement periodic penetration testing. be conducted as needed. SWCPL will implement the following asset management actions: Items 1 and 2: November 2023 1. Keep an inventory of hardware and software assets to identify outdated hardware and software. Item 3: Completed. SWCPL is actively maintaining this network diagram. 2. Keep an inventory of user accounts. 3. Maintain an updated network diagram of network. 17 Implementing account management actions to ensure security of user accounts SWCPL has in place the Item 1: SWCPL already following account has in place such management actions. procedures and processes. SWCPL will 1. Implementing regularly review these procedures and procedures and processes to processes to ensure perform periodic that they are complied review of user with. accounts and removal of Item 2: Completed. inactive SWCPL will regularly accounts. review these procedures and Page 10 of 13 No. Potential Risk Factors / Improvement Areas Target Completion (Date) Remediation Plan 2. Enforcing the processes to ensure - that they are complied with. control user access rights. 18 Implementing written policies/processes/guid elines relating to the collection, use, disclosure, protection and retention of personal data in the possession and/or custody of SWCPL and/or its employees. SWCPL will review and update its internal policies/processes relating to the collection, use, disclosure, protection, and retention of personal data in the possession and/or custody of SWCPL and/or its employees, including but not limited to ensuring the proper documentation of the policies and processes and enhancing training for all staff on their data protection. November 2023 Page 11 of 13 SCHEDULE C Page 12 of 13 Case number: DP-2305-C1003 In the matter of an investigation under section 50(1) And (1) Sunray Woodcraft Construction Pte Ltd (UEN No. 198703016K) DECLARATION I refer to the voluntary undertaking dated [___________] given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Undertaking I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 13 of 13 ",1013 63,4c7de9884b1a1e986b6b36f7874233ad637c866b,38,Success Human Resource Centre Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-success-human-resource-centre-pte-ltd,2024-04-22,"Background The Personal Data Protection Commission (the “Commission”) received a complaint about a personal data breach involving Success Human Resource Centre Pte Ltd (the “Organisation”) on 30 May 2023. The complainant informed the Commission that he was able to access the Organisation’s attendance tracking system, which disclosed the names and mobile numbers of other individuals, by manipulating the numerical suffix of the Organisation’s webpage URL (the “Incident”). About 30,000 individuals were potentially affected. Investigations revealed that the cause of the breach was due to inadequate web disk space on the webhost and unaddressed errors in the coding script. Upon being alerted, the Organisation immediately took down the URL.  Undertaking Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 11 September 2023. As part of the Undertaking, the Organisation put in place the following measures: (a) Fixed all coding flaws and structural issues on the system. (b) Upgraded the web disk space and implemented 2FA. (c) Implemented best practices for secure Identity Access Management (IAM). (d) Implemented clear vendor management and account responsibilities processes. (e) Developed a vulnerability disclosure policy and established a clear process for incident management The Commission was satisfied with and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation. The Organisation has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---success-human-resource-centre-pte-ltd.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2305-C1080 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Success Human Resource Centre Pte Ltd (UEN No. 200516727R) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 12 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Success Human Resource Centre Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 12 SCHEDULE A Page 3 of 12 SUMMARY OF FACTS 1. On 30 May 2023, PDPC was notified by a complainant stated that the Organisation’s URL on the Attendance Tracking System can be manipulated to gain access to the PDF documents containing personal data of other individuals. 2. As a result, the personal data of approximately 30,000 individuals including their names and phone numbers was exposed. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 12 SCHEDULE B Page 5 of 12 S/N LIKELY CAUSES OF INCIDENT PROPOSED STEPS TO ADDRESS THE CAUSE a. Identify the specific defects in the code causing the issue. TARGETED COMPLETION DATE b. Conduct a thorough code review and debugging process to fix the defects. c. Test updated code extensively to ensure the ""Print_attendance"" function works as intended. 1. Defective code for “Print_attendance” function on ATS d. Implement a Portal and comprehensive upgrade Web quality assurance Disk/Backup process for future Options code changes to prevent similar defects. 30th September 2023 e. Conduct a greybox penetration test by Net Assist Sdn Bhd Singapore licensed Penetration testing service provider. a. Assess the existing code and architecture for the IAM features. Page 6 of 12 b. Identify and fix any coding flaws and structural issues affecting the IAM functionality. 2. Defective code and structure for Identity Access Management (IAM) features on ATS Portal and c. Implement best practices for secure IAM implementation, such as proper authentication, authorization, and access control mechanisms. 30th September 2023 d. Regularly review and update the IAM code and structure to address any emerging vulnerabilities. 3. Not disabling specific accounts for interns/full-time job hires (For the purpose of clocking timesheets) e. Introduce and integrate multifactor authentication into IAM Modules. a. Develop a standardized process for enabling and disabling accounts based on employment status. b. Implement an automated system that disables accounts for interns or full-time job hires upon 31st October 2023 Page 7 of 12 completion of their contracts or termination of employment. c. Conduct periodic audits to ensure that accounts are promptly disabled as required. a. Review current vendor suitability and ability to continue with the ATS system maintenance and if not, to onboard new vendor Digipixel Pte. Ltd. b. Enhance the documentation and communication of Access Control Management processes, including user access levels and permissions. 4. Insufficient visibility of ATS Portal Access Control Management, Vendor SLA and continued maintenance. c. Establish a clear and well-defined Vendor Service Level Agreement (SLA) outlining expectations, responsibilities, and response times with Digipixel Pte. Ltd. And FirstComm Solutions for web development and hosting 30th September 2023 Page 8 of 12 respectively to also cover responsibilities with regards to areas of responsibilities in protection of personal data. d. Regularly review and update the Access Control Management system to meet evolving security requirements. e. Conduct periodic checks to verify compliance with the SLA and overall system maintenance. a. Develop a vulnerability disclosure policy that encourages responsible reporting of potential security vulnerabilities. 5. No vulnerability disclosure policy and process chart for specific incident management. b. Establish a clear process for incident management, including the identification, assessment, and mitigation of vulnerabilities. 31st October 2023 c. Create a dedicated team responsible for Page 9 of 12 handling vulnerability disclosures and coordinating appropriate remediation actions. d. Communicate the vulnerability disclosure policy and process to stakeholders, including employees, vendors, and users. Page 10 of 12 SCHEDULE C Page 11 of 12 Case number: DP-2305-C1080 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Success Human Resource Centre Pte Ltd (UEN No. 200516727R) … Organisation DECLARATION I refer to the voluntary undertaking dated ________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 12 of 12 ",1013 60,727fe5adb53f7a6861cbb5c8a8c1d6a0b826b539,35,Moncler Singapore Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-moncler-singapore-pte-ltd,2024-03-21,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Moncler Singapore Pte. Limited (“Moncler”) on 24 February 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data.   Investigations revealed that a malicious actor had utilised a sophisticated ransomware-as-a-service against Moncler’s corporate environments, possibly by using compromised credentials, vulnerability exploits, or spear-phishing. However, the exact cause of the breach could not be determined.   The malicious actor successfully deployed ransomware, encrypting and exfiltrating the personal data of 8,570 individuals (the “Incident”). The personal data affected included the name, date of birth, contact information, and purchase data of 8,561 customers, and the name, date of birth, contact information and payroll data of 9 employees. Remedial Actions After the Incident, as part of a remediation plan, Moncler put in place the following measures: (a)  Enhancing current cybersecurity training and awareness capabilities; (b)  Extending and refining Business Impact Analysis; (c)  Reviewing and improving its identity governance and access management solutions; (d)  Reviewing the security posture of the servers; (e)  Formalizing the application of its Vulnerability Management Process; (f)   Formalizing an IT Asset Management Program; (g)  Performing network security assessments; (h)  Improving Security Operation Center capabilities; and (i)   Implementing a configuration management database solution.   The Commission was satisfied with the remedial actions undertaken by Moncler. Undertaking  Having considered the circumstances of the case, the Commission accepted an undertaking from Moncler to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 29 June 2022 (the “Undertaking”).   The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected Moncler.    Moncler has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that Moncler has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---moncler-singapore-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Moncler Singapore Pte. Limited UEN: 201531580G Registered Address: 135 Cecil Street, #10-01, Philippine Airlines Building, Singapore 069536 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 8 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 8 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Moncler Singapore Pte. Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 8 ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 8 SCHEDULE A Page 5 of 8 SUMMARY OF FACTS 1. On 24 February 2022, the PDPC was informed that the Organisation was subjected to a ransomware attack, resulting in encryption and exfiltration of its database. 2. As a result, the personal data of 8,561 customers including their names, date of birth, email addresses, telephone numbers, and purchase data was exfiltrated. In addition, the personal data of another 9 employees, including their name, date of birth, contact information, and payroll data which includes health data, bank account information and other categories of data connected to the employment relationship, was also exfiltrated. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the possible causes of the personal data breach. Page 6 of 8 SCHEDULE B Page 7 of 8 REMEDIATION PLAN S/N Item Target Completion 1 Enhancing current Cybersecurity Training & Awareness capabilities Q4 2022 2 Extending and refining Business Impact Analysis Q3 2022 3 Reviewing and Improving Identity Governance and Access Management solutions Q4 2022 4 Reviewing the security posture of the Group’s servers Q1 2023 5 Formalizing the application of Vulnerability Management Process Q3 2023 6 Formalizing an IT Asset Management Program Q1 2023 7 Performing Network Security assessments Q2 2023 8 Improving Security Operation Center capabilities Q1 2023 9 Implement Configuration Management Database Solution Q4 2023 Page 8 of 8 ",1011 59,ca58c3c9a30a23a2752d3cca53c4faab7fc09277,34,Low Keng Huat (Singapore) Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-low-keng-huat-ltd,2024-02-22,"Background The Personal Data Protection Commission (the “Commission”) was notified by Low Keng Huat (Singapore) Limited (“LKHS”) on 4 July 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had gained initial access to LKHS's IT environment remotely. The firewall was not configured and therefore unable to block malicious traffic. The vendor was responsible for managing the firewall system, and no testing was conducted before the system went live after an upgrade. As a result, server logs were missing during that period, and security threat protection was not enabled in the system. The malicious actor likely exploited a critical vulnerability to obtain LKHS's workstation credentials and compromise email accounts. The malicious actor successfully deployed ransomware, encrypting and/or exfiltrating the personal data of 1,400 individuals (the “Incident”). The personal data affected included their personal contact information, emails, IC and passport scans, date of birth, sale and purchase agreements, and option to purchase documents. LKHS has been conducting monitoring and has not found any evidence to suggest that the personal data affected in the incident has been misused. Remedial Actions After the Incident, as part of a remediation plan, LKHS put in place the following measures: (a) Patched all software and outdated firmware.   (b) Updated and completed all IT hardware and software asset lists.   (c) Implemented clear vendor management and account responsibilities processes.   (d) Reviewed and resolved firewall issues and eliminated the need for VPN.   (e) Implemented strong security settings for servers and updated all workstations with endpoint protection.   (f) Implemented 2FA and more stringent password policies.   (g) All LKHS’s accounts have undergone a successful security audit, with evidence of log file visibility.   (h) Scheduled a yearly cybersecurity and IT training for all staff.   (i) Implemented new software and patch management policy.    The Commission was also satisfied with the additional remedial actions undertaken by LKHS. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from LKHS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2023 (the ""Undertaking""). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected LKHS.  LKHS has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that LKHS has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---low-keng-huat-ltd.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2308-C1305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Low Keng Huat (Singapore) Limited (UEN No. 196900209G) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 12 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Low Keng Huat (Singapore) Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 12 SCHEDULE A Page 3 of 12 SUMMARY OF FACTS 1. On 31 July 2023, PDPC was notified by Low Keng Huat (Singapore) Limited (“LKHS”) of a data security incident on 4 July 2023 involving ransomware encryption and possibly data exfiltration. LKHS staff had reported being unable to access the Organisation’s workstations. 2. As a result, the personal data of 1,400 individuals including their names, addresses, personal email addresses, telephone numbers, NRIC numbers, passport numbers, photographs, dates of birth, transaction information was affected. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 12 SCHEDULE B Page 5 of 12 S/N PROPOSED STEPS TARGETED TO ADDRESS THE COMPLETION CAUSE DATE Tightened Governance over Outsourced Vendors and Infrastructure Review and enhance vendors’ execution of patches for each Windows and nonWindows platform 1. LIKELY CAUSES OF INCIDENT Unpatched software and outdated firmware a. List all patches and firmware updates communicated and executed by vendors on stated date b. Physically check for evidence that such patches and updates are completed 20 Oct 2023 Audit Frequency: Monthly (on a Friday after Microsoft “Patch Tuesday”) c. Research any other available patches and updates not covered by vendors Review and enhance current asset management processes: 2. Outdated and incomplete IT hardware and software asset lists a. Record and document any event(s) necessitating fresh review b. Review and update inventory 27 Oct 2023 Audit Frequency: Event-driven as Page 6 of 12 list(s) where necessary c. Check list(s) with actual (sighted) physical items defined or Annually, whichever is earlier. Review and enhance vendors and account management process: 3. Breakdown of vendor management and account responsibilities processes a. Record and document any event(s) necessitating fresh review b. Review and update account management processes where necessary 20 Oct 2023 Audit Frequency: Event-driven as defined or Annually, whichever is earlier. a. Record and document any event(s) necessitating fresh review 4. 20 Oct 2023 b. Full firewall Firewall not review: check Audit Frequency: managed, rules, logs, Event-driven as absence of rules bandwidth defined or and log files monitoring, list of Annually, monitoring super admin whichever is users, access earlier. security through Internet, logs monitoring, reporting frequency. The immediate actions taken post incident had already fixed all firewall issues identified. We intend for another round of manual checks before the target completion date and provide Page 7 of 12 screenshots, log files as part of the status report at the end of the voluntary undertaking. In the event LKHS switches service provider, or changes the type of firewall used, we will repeat all the tasks as detailed in above. 5. VPN software end of life Removed need for VPN, no longer using the VPN solution. Files and folders access via Microsoft Sharepoint. N.A. Post incident, LKHS has discontinued the use of a VPN for external access to on-premise (local site) file servers. LKHS staff now use the public Internet to access files stored on Microsoft Sharepoint cloud. Existing local file servers (on-site) can be accessed only when physically in office, and using existing Active Directory credentials. LKHS has concluded there is no requirement to access any corporate work and assets from the Internet. The Management’s decision is to use cloud Sharepoint as the main file access and sharing functionality without any need for a VPN. The previous VPN and local Active Directory security mechanism has been replaced with Microsoft's Azure Active Directory (""AAD"") Authentication and Identity Management features. Authorised LKHS staff have been registered with the AAD and users need to sign in with their Azure AD credentials. Multi-factor authentication will be enforced as part of the LKHS remediation plan. 6. LKHS uses Sharepoint's Role-Based Access Control (RBAC) to manage permissions and access. LKHS administrators will assign permissions to users and groups at various levels. Folder owners (designated staff) will need to grant privilege access to their respective team members, based on internal requirements. Cybersecurity Enhancements Work with vendors to Weak security harden infrastructure 18 Oct 2023 settings for using CIS servers benchmarks, Page 8 of 12 vendors’ knowledge base or Windows Group Policy Objects Implement endpoint protection for all LKHS staff 7. Lack of endpoint protection a. List all end users with and without endpoint antivirus software installed 31 Oct 2023 b. Monitor effectiveness and any expiry dates 8. 9. a. Implement Microsoft 2FA, password security and rules Weak Microsoft account passwords, lack of b. Review password 2FA policies and enforce strong password requirements Lack of log file visibility and management Monitor logs from key servers / firewall 18 Oct 2023 27 Oct 2023 Explore centralised log server to consolidate logs from key servers S/N 1. Staff Communication/Education and IT Policies IDENTIFIED AGENDA MODE AND SUBSEQUENT GAPS NEXT FREQUENCY SCHEDULED DATE No schedule for Online or in staff • Cybersecurity person communication Once per year Training Page 9 of 12 and training on cybersecurity matters 2. Lack of detail and actionable steps in current IT Policies Weak enforcement of policies related to IT Governance • Training on LKHS IT Acceptable Use Policy • LKHS-IT-01 Vendor Management Policy • LKHS-IT-03 Acceptable Use Policy • IT Policy in Software and Patch Management Within 1 month after remediation timeframe To extract and follow PDPC’s Guides. Events when the policies are updated Once per year Page 10 of 12 SCHEDULE C Page 11 of 12 Case number: DP-2308-C1305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Low Keng Huat (Singapore) Limited (UEN No. 196900209G) … Organisation DECLARATION I refer to the voluntary undertaking dated ________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 12 of 12 ",1010 33,6e98f92db05dac23a73da70032d38ef5f0dc2fea,33,AEM Holdings Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-AEM-Holdings-Ltd,2023-12-14,"Background  The Personal Data Protection Commission (the ""Commission"") was notified by AEM Holdings Ltd. (""AEM"") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network (""VPN"") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information. The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the ""Incident""). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints. Remedial Actions After the incident, as part of a remediation plan, AEM put in place the following measures: (a) Implemented a third-party vendor cybersecurity risk management policy;   (b) Implemented standard contractual clauses for contracting with third-party vendors; (c) Implemented regular cybersecurity reviews; and (d) Reviewed and enhanced its data classification policy. The Commission was also satisfied with the additional actions undertaken by AEM. Undertaking  Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the ""Undertaking""). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission's practice with respect to other personal data breaches similar to the one that affected AEM. AEM has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that AEM has compiled with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---AEM-Holdings-Ltd.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2207-9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 8 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) AEM Holdings Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 8 SCHEDULE A Page 3 of 8 SUMMARY OF FACTS 1. On 1 July 2022, the PDPC was informed by the Organisation about the deployment of ransomware on its network. 2. As a result, the personal data of 18,135 individuals including their names, personal contact information, identification numbers, employment records, date of birth, race, religion, COVID-19 test results and vaccination information, shareholding information, employee bank account number, profile photographs and fingerprints were encrypted and/or exfiltrated. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 8 SCHEDULE B Page 5 of 8 REMEDIATION PLAN S/N Item Status Target Completion June 2023 1 Implement a third party vendor In progress cybersecurity risk management policy. 2 Implement a standard set of contractual In progress clauses for use in, as well as a contracting playbook to rely on when negotiating, contracts with relevant third party vendors identified following implementation of the third party vendor cybersecurity risk management policy referenced in s/n 1 above. Q3 2023 3 Perform regular cybersecurity reviews, with Periodic prompt action to be taken for any identified risks as reasonably practicable. Periodic 4 Review and enhance the data classification In progress policy. June 2023 Page 6 of 8 SCHEDULE C Page 7 of 8 Case number: DP-2207-B9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation DECLARATION I refer to the voluntary undertaking dated _______________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 8 of 8 ",1006 58,8d731a7a02ba4f5eb35484f4ee16710be29f5571,33,AEM Holdings Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-aem-holdings-ltd,2023-12-14,"Background  The Personal Data Protection Commission (the ""Commission"") was notified by AEM Holdings Ltd. (""AEM"") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network (""VPN"") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information. The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the ""Incident""). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints. Remedial Actions After the incident, as part of a remediation plan, AEM put in place the following measures: (a) Implemented a third-party vendor cybersecurity risk management policy;   (b) Implemented standard contractual clauses for contracting with third-party vendors; (c) Implemented regular cybersecurity reviews; and (d) Reviewed and enhanced its data classification policy. The Commission was also satisfied with the additional actions undertaken by AEM. Undertaking  Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the ""Undertaking""). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission's practice with respect to other personal data breaches similar to the one that affected AEM. AEM has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that AEM has compiled with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---aem-holdings-ltd.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2207-9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 8 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) AEM Holdings Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 8 SCHEDULE A Page 3 of 8 SUMMARY OF FACTS 1. On 1 July 2022, the PDPC was informed by the Organisation about the deployment of ransomware on its network. 2. As a result, the personal data of 18,135 individuals including their names, personal contact information, identification numbers, employment records, date of birth, race, religion, COVID-19 test results and vaccination information, shareholding information, employee bank account number, profile photographs and fingerprints were encrypted and/or exfiltrated. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 8 SCHEDULE B Page 5 of 8 REMEDIATION PLAN S/N Item Status Target Completion June 2023 1 Implement a third party vendor In progress cybersecurity risk management policy. 2 Implement a standard set of contractual In progress clauses for use in, as well as a contracting playbook to rely on when negotiating, contracts with relevant third party vendors identified following implementation of the third party vendor cybersecurity risk management policy referenced in s/n 1 above. Q3 2023 3 Perform regular cybersecurity reviews, with Periodic prompt action to be taken for any identified risks as reasonably practicable. Periodic 4 Review and enhance the data classification In progress policy. June 2023 Page 6 of 8 SCHEDULE C Page 7 of 8 Case number: DP-2207-B9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation DECLARATION I refer to the voluntary undertaking dated _______________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 8 of 8 ",1007 32,91301e7edd0c4a62c2cf819d8e3b96aaa3ff3480,32,Starbucks Coffee Singapore Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Starbucks-Coffee-Singapore-Pte-Ltd,2023-11-10,"Background  On 13 September 2022, the Personal Data Protection Commission (the “Commission”) reached out to Starbucks Coffee Singapore Pte. Ltd. (the “Organisation”) after receiving information that personal data purporting to belong to the Organisation’s customers were available for sale online. The Organisation lodged a data breach notification to the Commission on 15 September 2022 and confirmed that its customer database, managed by its data intermediary, Ascentis Pte. Ltd. (“Ascentis”), was compromised by an unknown threat actor. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Investigations revealed that the personal data breach could not be directly attributed to the Organisation but had occurred due to internal lapses on Ascentis’ end. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for the Organisation. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a)Requested its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database;   (b) Reset the application programming interface as a precautionary measure; (c) Audited the processes of its vendor and require them to improve on its monitoring and security processes; (d) Reviewed its existing contracts with 3rd party vendors; and (e) Notified all affected customers. Undertaking  The Commission accepted the Undertaking as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, the Organisation could further improve on the contractual stipulation and handling of its data intermediaries. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Starbucks-Coffee-Singapore-Pte-Ltd_2023.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 10 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Starbucks Coffee Singapore Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 10 SCHEDULE A Page 3 of 10 SUMMARY OF FACTS 1. On 15 September 2022, the Commission was informed that personal data purported to be from the Organisation’s Singapore customers were available on the dark web. 2. Investigation revealed that the above-mentioned personal data were indeed from the Organisation’s customer database and this database were handled by Ascentis Pte. Ltd (“Ascentis”), an external vendor contracted to provide IT solutions since year 2014. 3. The cause of the data breach incident was due to lapses within Ascentis and its overseas vendor which led to a compromise of an administrator account with access to the Organisation’s customer database. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Page 4 of 10 SCHEDULE B Page 5 of 10 REMEDIATION PLAN No. 1 2 3 4 5 6 Remediation action Vendor relationship management Starbucks SG will require Ascentis to update Starbucks SG in writing as soon as possible but not later than 21 working days after change has taken effect in changes of their contractors, business structure, which will impact/affect Starbucks SG’s services delivery, including any changes in their business structure or any Project Team (roles and responsibilities) movement. Starbucks SG will perform vendor assessment on Ascentis using Starbucks SG’s internal Cybersecurity Assessment Form and Vendor Evaluation Form. Starbucks SG will review the audit report after Ascentis performed their own audit on their subcontractors who handle any of Starbucks SG’s operations or matters. If any deficiencies noted in relation to any subcontractor, Starbucks SG would require Ascentis to rectify the deficiencies noted in the audit report. If the audits conducted in items 2 and 3 above are unsatisfactory, Starbucks SG will require Ascentis to rectify any deficiencies. Thereafter, Starbucks SG will carry out a further security audit on Ascentis to verify that all rectification works have been completed. Starbucks SG will review Ascentis’ exemployee’s compromised account profile for any suspicious activity in the past one year. Starbucks SG will take necessary actions following the discovery of any suspicious activity. Starbucks SG will review Ascentis’ processes, and will restrict admin portal access based on IP address. Status Completed Target Completion With immediate effect. Completed 30-Nov-22 Completed 15 February 2023 In Progress May 2023 Completed February 2023 Completed 27-Sep-22 Page 6 of 10 7 Starbucks SG will set up a virtual private network to connect to and access the admin portal of the e-commerce system. Starbucks SG will require Ascentis to review and improve personal data stored on e-commerce module such that customer data is only stored when strictly necessary. Starbucks SG will further require Ascentis to purge unnecessary account information, review data retention in ecommerce and define retention period. Starbucks SG will carry out follow-up checks to ensure that the above are carried out. Starbucks SG will require Ascentis to implement two-factor authentication to access any admin portal. Completed 27-Sep-22 Completed 28-Oct-22 In progress By 30-Apr-23 10 Starbucks SG will require Ascentis to implement customer access georestrictions. Completed 16-Sep-22 11 Starbucks SG will require Ascentis to improve on its processes on monitoring users’ activity logs. This includes reviewing existing event monitoring implementation and to look at implementing rule based alerts to manage all logs for automatic anomaly detection and log management. Starbucks SG will require Ascentis to do the following: (a) put in place processes such that Starbucks SG is the gatekeeper/approving party when creating user and removing user in ecommerce admin portal; (b) any Ascentis admin user that is created should be approved by Starbucks SG; (c) where any Ascentis admin user is terminated, Ascentis should promptly inform Starbucks for immediate deprovision; (d) any Starbucks admin user creation and termination will be done and approved by Starbucks IT; and In Progress By 31-Mar-23 Completed 16-Sep-22 8 9 12 Page 7 of 10 (e) review and disable inactive users and shared accounts accessing to ecommerce admin portal. 13 Starbucks SG will require Ascentis to: (a) review Ascentis' admin portal Rolebased Access; (b) review all access rights granted in admin portal, to ensure only required permission granted to approved personnel and roles assigned; and (c) review if the proper rights are given to each role. Completed 31-Oct-22 14 Starbucks SG will require Ascentis to ensure that the application programming interface is reset (API Access Key) as a precautionary measure. Completed 19-Sep-22 15 Starbucks SG will review its existing contracts with Ascentis and include relevant data protection clauses that set out clearly the obligations and responsibilities of all parties to comply with PDPA. In Progress. By Mid 2023 Page 8 of 10 SCHEDULE C Page 9 of 10 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation DECLARATION I refer to the voluntary undertaking dated _______________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 10 of 10 ",1003 57,b94696ca6daf2b2452a0b9ec23e6e0eff3a0c2d2,32,Starbucks Coffee Singapore Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-starbucks-coffee-singapore-pte-ltd,2023-11-10,"Background  On 13 September 2022, the Personal Data Protection Commission (the “Commission”) reached out to Starbucks Coffee Singapore Pte. Ltd. (the “Organisation”) after receiving information that personal data purporting to belong to the Organisation’s customers were available for sale online. The Organisation lodged a data breach notification to the Commission on 15 September 2022 and confirmed that its customer database, managed by its data intermediary, Ascentis Pte. Ltd. (“Ascentis”), was compromised by an unknown threat actor. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Investigations revealed that the personal data breach could not be directly attributed to the Organisation but had occurred due to internal lapses on Ascentis’ end. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for the Organisation. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a)Requested its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database;   (b) Reset the application programming interface as a precautionary measure; (c) Audited the processes of its vendor and require them to improve on its monitoring and security processes; (d) Reviewed its existing contracts with 3rd party vendors; and (e) Notified all affected customers. Undertaking  The Commission accepted the Undertaking as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, the Organisation could further improve on the contractual stipulation and handling of its data intermediaries. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---starbucks-coffee-singapore-pte-ltd_2023.pdf,"VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 10 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Starbucks Coffee Singapore Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 10 SCHEDULE A Page 3 of 10 SUMMARY OF FACTS 1. On 15 September 2022, the Commission was informed that personal data purported to be from the Organisation’s Singapore customers were available on the dark web. 2. Investigation revealed that the above-mentioned personal data were indeed from the Organisation’s customer database and this database were handled by Ascentis Pte. Ltd (“Ascentis”), an external vendor contracted to provide IT solutions since year 2014. 3. The cause of the data breach incident was due to lapses within Ascentis and its overseas vendor which led to a compromise of an administrator account with access to the Organisation’s customer database. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Page 4 of 10 SCHEDULE B Page 5 of 10 REMEDIATION PLAN No. 1 2 3 4 5 6 Remediation action Vendor relationship management Starbucks SG will require Ascentis to update Starbucks SG in writing as soon as possible but not later than 21 working days after change has taken effect in changes of their contractors, business structure, which will impact/affect Starbucks SG’s services delivery, including any changes in their business structure or any Project Team (roles and responsibilities) movement. Starbucks SG will perform vendor assessment on Ascentis using Starbucks SG’s internal Cybersecurity Assessment Form and Vendor Evaluation Form. Starbucks SG will review the audit report after Ascentis performed their own audit on their subcontractors who handle any of Starbucks SG’s operations or matters. If any deficiencies noted in relation to any subcontractor, Starbucks SG would require Ascentis to rectify the deficiencies noted in the audit report. If the audits conducted in items 2 and 3 above are unsatisfactory, Starbucks SG will require Ascentis to rectify any deficiencies. Thereafter, Starbucks SG will carry out a further security audit on Ascentis to verify that all rectification works have been completed. Starbucks SG will review Ascentis’ exemployee’s compromised account profile for any suspicious activity in the past one year. Starbucks SG will take necessary actions following the discovery of any suspicious activity. Starbucks SG will review Ascentis’ processes, and will restrict admin portal access based on IP address. Status Completed Target Completion With immediate effect. Completed 30-Nov-22 Completed 15 February 2023 In Progress May 2023 Completed February 2023 Completed 27-Sep-22 Page 6 of 10 7 Starbucks SG will set up a virtual private network to connect to and access the admin portal of the e-commerce system. Starbucks SG will require Ascentis to review and improve personal data stored on e-commerce module such that customer data is only stored when strictly necessary. Starbucks SG will further require Ascentis to purge unnecessary account information, review data retention in ecommerce and define retention period. Starbucks SG will carry out follow-up checks to ensure that the above are carried out. Starbucks SG will require Ascentis to implement two-factor authentication to access any admin portal. Completed 27-Sep-22 Completed 28-Oct-22 In progress By 30-Apr-23 10 Starbucks SG will require Ascentis to implement customer access georestrictions. Completed 16-Sep-22 11 Starbucks SG will require Ascentis to improve on its processes on monitoring users’ activity logs. This includes reviewing existing event monitoring implementation and to look at implementing rule based alerts to manage all logs for automatic anomaly detection and log management. Starbucks SG will require Ascentis to do the following: (a) put in place processes such that Starbucks SG is the gatekeeper/approving party when creating user and removing user in ecommerce admin portal; (b) any Ascentis admin user that is created should be approved by Starbucks SG; (c) where any Ascentis admin user is terminated, Ascentis should promptly inform Starbucks for immediate deprovision; (d) any Starbucks admin user creation and termination will be done and approved by Starbucks IT; and In Progress By 31-Mar-23 Completed 16-Sep-22 8 9 12 Page 7 of 10 (e) review and disable inactive users and shared accounts accessing to ecommerce admin portal. 13 Starbucks SG will require Ascentis to: (a) review Ascentis' admin portal Rolebased Access; (b) review all access rights granted in admin portal, to ensure only required permission granted to approved personnel and roles assigned; and (c) review if the proper rights are given to each role. Completed 31-Oct-22 14 Starbucks SG will require Ascentis to ensure that the application programming interface is reset (API Access Key) as a precautionary measure. Completed 19-Sep-22 15 Starbucks SG will review its existing contracts with Ascentis and include relevant data protection clauses that set out clearly the obligations and responsibilities of all parties to comply with PDPA. In Progress. By Mid 2023 Page 8 of 10 SCHEDULE C Page 9 of 10 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation DECLARATION I refer to the voluntary undertaking dated _______________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 10 of 10 ",1007 31,f981ac0d28f349a756b93a3180f8b6337d51dec5,31,OG Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-OG-Pte-Ltd,2023-08-16,"Background  On 4 January 2022, OG Private Limited (the ""Organisation"") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data. Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained ""dummy data"" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals. The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd (""Poket"") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) SQL injection prevention enhancement;   (b) Streamline data storage; (c) Harden web portal security; (d) Implement annual security review; and (e) Tighten protocols for contracting with 3rd party vendors. Undertaking  Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the ""Undertaking"").   The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---OG-Private-Limited.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: OG Private Limited UEN: 196200157H Registered Address: 60 Albert Street #05-01 (189969) OG Albert Complex, Singapore (hereinafter referred to as the “Organisation’). By signing this Undertaking, the above-named Organisation matters stated herein and undertakes to the Commission 1. DEFINITIONS 1.1 In this Undertaking: acknowledges the in the terms set out herein. (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts Ill, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) |The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) Asaresult of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48] or 48J of the PDPA. (c) |The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1of 11 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) 2.2 Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation's duly executed Undertaking. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 11 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission's rights and statutory powers (including but not limited to those under sections 481, 484J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 11 SIGNED, for and on behalf of OG Private Limited By the following: Name: Designation: Date: ACCEPTED by Name: Designation: Deputy Commissioner/Commissioner Personal Data Protection Date: Page 4 of 11 SCHEDULE A Page 5 of 11 SUMMARY OF FACTS 1. On 4 January 2022, OG Private Limited received emails from Desorden Group stating that personal data have been stolen and demanded USD$90,000 in return for not publishing the stolen data. a ransom of It was identified that a threat actor had conducted a Bruteforce SQL Injection attack and was able to download 3 databases. As a result of the attack, the personal data of the Organisation’s approximately 276,677 individuals including their name, gender, address, date of birth, email address, telephone numbers, NRIC numbers affected. (encrypted) and passwords (encrypted) could have been Page 6 of 11 SCHEDULE B Page 7 of 11 S/N Item Status Target Completion (MMM-YY) SQL Injection Prevention Enhancement Completed Jan-22 Completed Jan-22 Completed Jan-22 Strengthened the existing SQL injection code to prevent future brute force SQL injection attacks. Additional IP Blocking Measure To further shorten the lead-time for blocking suspicious traffic, the system was upgraded to automatically block any IP generating 50 or more connections per minute at any time. With this implementation, there are now 2 levels of checking/blocking. First, the system will automatically block suspicious traffic. Second, the system continues to send suspicious activity alerts to our vendors’ 24/7 duty team who will investigate and respond appropriately. Data Security Enhancement: After the attack, we increased the security of the personal data in the database: i. i. i. Encrypted member names Encrypted email addresses Encrypted mobile phone numbers Page 8 of 11 Completed Jan-22 Completed Jan-22 In progress Jun-22 Carrying out Vulnerability Assessment and Penetration Testing (VAPT) i. Updating and patching server software iii. Installing or updating appropriate computer security software (including virus checking) In progress Harden Web Portal Security Jul-22 Streamline Data Storage We made changes to our membership program to enable further reduction in the types of personal data that we collect and store: i. Deleted member dates of birth from the server ii, Deleted member NRIC numbers from the server Immediate Password Security Measure i. i. Changed system setting to force members to reset their passwords on next login. Changed passwords for all online databases and cloud-based services. Tighten System Security Comprehensive security review including: i. Implement reCAPTCHA to detect abusive traffic and prevent brute force attack ‘Additional Data Security Enhancement: In progress Aug-22 Encrypt member address. The data encryption algorithm is AES-256 algorithm with secret key Page 9 of 11 Implement Annual System Security Review On-going On-going In progress Sep-22 In progress Oct-22 In progress Nov-22 Establish SOP for annual security review and Vulnerability Assessment and Penetration Testing (VAPT) 10 Hardening of Website Security In additional to AWS Firewall on server level, will implement additional Firewall on application level to harden the security. 11 Implementation of Two-Factor Authentication Two-Factor Authentication (“2FA’”) implemented for all admin users login. 12 will be Tighten Protocols for Contracting with 3 Party Vendors i. ii. iii. Vendor selection due diligence Checklists for IT vendors providing IT solutions Checklists for vendors processing personal data iv. V. SOPs for 3 parties handling personal data Review contract terms and conditions for adequate protection and risk management, and compliance with data protection regulations. Page 10 of 11 13 Inhouse PDP review and implement PDP (Training In Progress Nov-22 Engage PDP consultant firm to review existing data protection protocols and implement SOP for longoing training of employees and/or associates in handling of personal data and ensuring data security. Page 11 of 11 ",1004 56,65c50fee3566ffc362b1600f2f2b169abc150f95,31,OG Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-og-pte-ltd,2023-08-16,"Background  On 4 January 2022, OG Private Limited (the ""Organisation"") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data. Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained ""dummy data"" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals. The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd (""Poket"") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) SQL injection prevention enhancement;   (b) Streamline data storage; (c) Harden web portal security; (d) Implement annual security review; and (e) Tighten protocols for contracting with 3rd party vendors. Undertaking  Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the ""Undertaking"").   The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---og-private-limited.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: OG Private Limited UEN: 196200157H Registered Address: 60 Albert Street #05-01 (189969) OG Albert Complex, Singapore (hereinafter referred to as the “Organisation’). By signing this Undertaking, the above-named Organisation matters stated herein and undertakes to the Commission 1. DEFINITIONS 1.1 In this Undertaking: acknowledges the in the terms set out herein. (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts Ill, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) |The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) Asaresult of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48] or 48J of the PDPA. (c) |The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1of 11 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) 2.2 Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation's duly executed Undertaking. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 11 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission's rights and statutory powers (including but not limited to those under sections 481, 484J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 11 SIGNED, for and on behalf of OG Private Limited By the following: Name: Designation: Date: ACCEPTED by Name: Designation: Deputy Commissioner/Commissioner Personal Data Protection Date: Page 4 of 11 SCHEDULE A Page 5 of 11 SUMMARY OF FACTS 1. On 4 January 2022, OG Private Limited received emails from Desorden Group stating that personal data have been stolen and demanded USD$90,000 in return for not publishing the stolen data. a ransom of It was identified that a threat actor had conducted a Bruteforce SQL Injection attack and was able to download 3 databases. As a result of the attack, the personal data of the Organisation’s approximately 276,677 individuals including their name, gender, address, date of birth, email address, telephone numbers, NRIC numbers affected. (encrypted) and passwords (encrypted) could have been Page 6 of 11 SCHEDULE B Page 7 of 11 S/N Item Status Target Completion (MMM-YY) SQL Injection Prevention Enhancement Completed Jan-22 Completed Jan-22 Completed Jan-22 Strengthened the existing SQL injection code to prevent future brute force SQL injection attacks. Additional IP Blocking Measure To further shorten the lead-time for blocking suspicious traffic, the system was upgraded to automatically block any IP generating 50 or more connections per minute at any time. With this implementation, there are now 2 levels of checking/blocking. First, the system will automatically block suspicious traffic. Second, the system continues to send suspicious activity alerts to our vendors’ 24/7 duty team who will investigate and respond appropriately. Data Security Enhancement: After the attack, we increased the security of the personal data in the database: i. i. i. Encrypted member names Encrypted email addresses Encrypted mobile phone numbers Page 8 of 11 Completed Jan-22 Completed Jan-22 In progress Jun-22 Carrying out Vulnerability Assessment and Penetration Testing (VAPT) i. Updating and patching server software iii. Installing or updating appropriate computer security software (including virus checking) In progress Harden Web Portal Security Jul-22 Streamline Data Storage We made changes to our membership program to enable further reduction in the types of personal data that we collect and store: i. Deleted member dates of birth from the server ii, Deleted member NRIC numbers from the server Immediate Password Security Measure i. i. Changed system setting to force members to reset their passwords on next login. Changed passwords for all online databases and cloud-based services. Tighten System Security Comprehensive security review including: i. Implement reCAPTCHA to detect abusive traffic and prevent brute force attack ‘Additional Data Security Enhancement: In progress Aug-22 Encrypt member address. The data encryption algorithm is AES-256 algorithm with secret key Page 9 of 11 Implement Annual System Security Review On-going On-going In progress Sep-22 In progress Oct-22 In progress Nov-22 Establish SOP for annual security review and Vulnerability Assessment and Penetration Testing (VAPT) 10 Hardening of Website Security In additional to AWS Firewall on server level, will implement additional Firewall on application level to harden the security. 11 Implementation of Two-Factor Authentication Two-Factor Authentication (“2FA’”) implemented for all admin users login. 12 will be Tighten Protocols for Contracting with 3 Party Vendors i. ii. iii. Vendor selection due diligence Checklists for IT vendors providing IT solutions Checklists for vendors processing personal data iv. V. SOPs for 3 parties handling personal data Review contract terms and conditions for adequate protection and risk management, and compliance with data protection regulations. Page 10 of 11 13 Inhouse PDP review and implement PDP (Training In Progress Nov-22 Engage PDP consultant firm to review existing data protection protocols and implement SOP for longoing training of employees and/or associates in handling of personal data and ensuring data security. Page 11 of 11 ",1007 30,8e81fa3ebd2c63a7421d56f69d93bfd59d34a028,30,Employment and Employability Institute Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-and-Employability-Institute-Pte-Ltd,2023-07-20,"Background The Personal Data Protection Commission (the “Commission”) was notified by Employment and Employability Institute Pte. Ltd. on 25 March 2021 of a personal data breach involving its contact centre and data intermediary, i-vic International Pte. Ltd. (“i-vic). Investigations revealed that an employee of i-vic had most likely fallen prey to a phishing attack. As a result, a malicious actor successfully downloaded the personal data belonging to 31,002 individuals, from 2 email accounts belonging to the i-vic employee (the “Incident”).The personal data affected included the individuals’ partial or full NRIC, date of birth, telephone number, email address, residential address, highest qualification, and employment details. Further investigations found that i-vic had reasonable security measures in place to protect the personal data that it processes on behalf of e2i. i-vic had anti-virus protection, anti-phishing protection, regular anti-virus scans, security audits and conducted regular patches for its IT system. In fact, i-vic had existing anti-malware software which should have been able to detect the particular malware used in the Incident, but somehow failed to do so. After the Incident, i-vic purchased and deployed additional anti-malware software. Finally, the Commission found that i-vic had comprehensive policies and guidelines in place to protect personal data. While i-vic had reasonable security arrangements in place to protect the personal data it processes, the Commission established that this was entirely on i-vic’s account and not because of e2i’s bidding. e2i had failed to stipulate any specific data protection requirements on i-vic in their contract. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. i-vic produced evidence of several occasions where e2i’s employees had sent personal data to i-vic without any encryption or protection, which was against e2i’s standard operating procedures. Case No. DP-2106-B8424 A complainant alerted the Commission of a personal data breach involving e2i’s website on 21 June 2021. e2i's website had been designed in such a way that it would automatically populate and display all the data fields e2i had of an individual in its possession without the need for further authentication once an individual's NRIC number is keyed in to access e2i's website and register for a course, talk, or event. As a result, the personal data of 102,151 individuals was at risk of being disclosed. The personal data affected included the individuals’ name, citizenship, union membership status, gender, race, education, employment information, work experience, background, health records, and other partially masked personal data including NRIC number, date of birth, email address, postal code and contact number. As this personal data breach involving e2i's website occurred when the Commission was investing Case No. DP-2103-B8132, the Commission considered both cases involving e2i together. Remedial Actions After the incidents, as part of a remediation plan, e2i put in place the following measures which included: (a) Strengthening its data protection governance with the assistance of an independent vendor; (b) Engaging a professional company to conduct IT risk assessment audits on third-party vendors; (c) Implementing a one-time password (""OTP"") authentication for individuals using its website; (d) Ensuring that i-vic has the necessary systems and processes in place to protect personal data; (e) Tightening its vendor selection process' (f) Enhancing its password protection policy; (g) Enhancing its outlook system security;   (h) Made continuous effort to conduct regular staff training; and   (i) Masking personal data on its website   The Commission was also satisfied with the additional remedial actions undertaken by i-vic. Undertaking Having considered the circumstances of both cases, the Commission accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 10 March 2022 (the Undertaking). The Commission accepted the Undertaking as it was satisfied that notwithstanding e2i’s failure to stipulate personal data protection requirements in its contract with i-vic, e2i had engaged i-vic on account of i-vic’s good personal data protection policies and processes. For the personal data breach that affected e2i’s website, while the personal data of 102,151 individuals was at risk of being disclosed, the impact of the personal data breach was limited as e2i promptly took remediation action after being alerted by the Commission of the complaint received. e2i worked with its vendor to ensure that save for the last 4 digits of an individual’s contact number, the website no longer displayed any of the personal data fields of an individual. As part of the Undertaking, e2i eventually implemented an OTP authentication for individuals using its website.   The Commission accepted the Undertaking as this is consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected e2i’s website, where there is no evidence to suggest that there has been unauthorised access or data exfiltration. e2i has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that e2i has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2023.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Employment and Employability Pte. Ltd. UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, 1 including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and 2 if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. 3 SIGNED, for and on behalf of ) Employment and Employability Institute Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A 5 SUMMARY OF FACTS DP-2106-B8424 1. On 2 June 2021, the PDPC received feedback of a personal data breach incident by Employment and Employability Institute Pte. Ltd. (""e2i""). When an individual registers for a course, talk or event organised by e2i on e2i’s website, the website would automatically populate and display an individual’s personal data once an individual’s NRIC number is inserted into the website. If an individual uses the person’s NRIC number on e2i’s website, there would be the risk of unauthorised disclosure of personal data by e2i if such use had not been duly authorised. 2. As a result, the personal data of 102,151 individuals’ was at risk of a potential personal data breach. The types of personal data affected included the following: i) Name ii) Citizenship iii) Union member status iv) Gender v) Race vi) Highest education level vii) Unemployed since viii) Unemployment duration (months) ix) Reason for unemployment x) Education level detail (field of study, qualification name/title, institution, date of completion) xi) Work experience (From, to, company name, industry, job title, job duties, masked last drawn salary/month) xii) Background and health (Ex-offender, bankruptcy, color blindness, medical illness, drug abuse) xiii) Partially masked NRIC xiv) Partially masked date of birth xv) Partially masked email address xvi) Partially masked postal code xvii) Partially masked contact number (Home/HP) 3. The PDPC notes that there was no evidence of exfiltration of the personal data. 6 DP-2103-B8132 1. On 25 March 2021, the PDPC received a data breach notification from e2i, which involved its outsourced contact centre, i-vic International Pte. Ltd. (“ivic”). Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. It was found that i-vic had put in place reasonable security arrangements despite the data breach. 2. However, it was found that e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary, and in its contract with i-vic. It was also found that e2i lacked sufficiently robust processes to protect personal data during transmission. There were at least 18 occasions where e2i’s employees had sent large volumes of personal data to i-vic without protection. 3. The personal data of 31,002 individuals’ was downloaded by a malicious actor in the incident. The types of personal data affected included the following: i) NRIC ii) Partial NRIC Number iii) Date of Birth iv) Mobile Number v) Landline vi) Email Address vii) Residential Address viii) Highest Qualification ix) Employment Details – containing salary, employment status, occupation or company name 7 SCHEDULE B 8 REMEDIATION PLAN A. In Progress S/N 1 Remedial Steps/Measures How does this measure address Target Completion date the issue Strengthen e2i’s data protection governance This will ensure our Data Protection Management Programme (DPMP) is relevant and optimised for operations and continuous improvements: e2i will appoint an independent vendor to conduct a professional review of our organisation's data protection practices through a comprehensive health check. The scope of engagement will include: • • • • Assessment of our existing data protection policies and practices, and recommend solutions to close gaps; Conduct a table-top exercise to test the data breach response plan; Managing our data intermediaries by putting in place governance and risk assessment; policies and practices; service management, and exit management. After the above review has been implemented, the vendor will continue to review our data protection policies and practices through regular health checks. This will enable us to continually 9 • • Status 16 Feb 2023 - we are looking In progress at a 1-year timeframe to complete the exercise with the following breakdown: 4 months: Confirming review specifications and Data collected is adequate, relevant and appointment of an limited to what is independent vendor to assess necessary and processed our existing policies, with the intended guidelines, and SOPs. purpose. Interview business units to Ensure appropriate controls are in place to identify relevant work secure data and processes and gaps. procedures in place for staff to recognise and respond to potential data breach incidences. 5 months: Review and implement recommendations Ensure there is a framework and process to bridge all gaps. Conduct identify and address risks and gaps and implement solutions to close them. to govern our data intermediaries table-top exercise to test data breach response plan. 3 months: Produce reports on the reviews and table top exercises that were carried out. Setup proactive monitoring such as regular audit period and inspection exercises for our practices and data intermediaries. 10 2 Professional IT security review and tightening of vendor selection process This will ensure better governance on Jun 2022 our third-party vendors' IT security and data protection capability. e2i has engaged a professional company to conduct IT Risk Assessment Audits on third-party vendors to ensure our vendors have the necessary cybersecurity frameworks and systems in place for data protection. Criteria(s) are put in place to tighten our vendor selection process. This ensures that the vendor has frameworks and procedures in place to manage and protect data, such as its storage security and access rights by different types of users; how does the vendor ensure compliance with PDPA such as training of staff and the IT system’s robustness. 11 In progress 3 OTP Implementation on e2i’s website With the OTP, users will have the Option 1: Mar 2022 added protection of their personal data from being accessed by anyone Option 2: Oct 2022 using their NRIC number Option 1 To implement an authentication (via OTP) interface before an individual reached the personal data confirmation page using the current Events Management SystHem (""EMS"") In progress. e2i will review whether to renew contract with current vendor or explore a new EMS and update PDPC on its decision of implementing Option 1 or Option 2 by Mar 2022. Option 2 As current EMS is due for renewal or change by Oct 2022, e2i may explore a new EMS. In this case, e2i will implement the OTP on the new EMS. However, this means e2i will need a longer timeline as e2i has to evaluate different vendors and the functionalities the vendors can offer. In the meantime, information has been masked such that only the user’s partially masked contact number is left, which is not identifiable. 12 B. Implemented S/N 1 Remedial Steps/Measures How does this measure address the issue Timeframe Status IT and personal data handling checks on Call Centre vendors To prevent further March 2021 (for i-vic) Completed unauthorised access and September 2021 (for Agape due For i-vic International (Contract ended 31 Aug 2021): ensure that our call centre has the necessary IT systems and to change in vendor) • All i-vic staff supporting e2i’s work are processes in place to protect using company-issued desktops and our personal data. laptops. No unmanaged devices, including mobiles, are used for e2i’s work. • Implementation of multi-factor authentication to all user accounts supporting e2i’s work and scanning all staffs’ laptops to ensure no further incidence of malware • Advisory to i-vic to adopt different modes of communication for sharing of passwords. For new call centre Agape Connecting People Pte Ltd (Contract started from 1 September 2021) Checks were made to ensure they had: • Secured data management system 13 • • • • • Safer mail software (Microsoft 365 with 2-factor enabled password authentication) Secured data centre (Managed offsite at Telin, ISO certified vendor (ISO/IEC 27001:2013) Secured network server (Lantone Systems, housed locally, same company serving SingTel) 24/7 IT systems monitoring Overall enhancement in data sharing methods between vendor and e2i • 2 Quarterly review on IT systems Tightened vendor selection process To ensure better governance on our third-party vendors' IT security and data protection Current and future third-party vendors dealing with personal capability. data to complete an Information Security Third-party assessment questionnaire to understand their processes on capturing personal data, IT security controls, and compliance. From April 2021 Completed Incorporate legal clauses on PDPA data management in current and future contracts with vendors 3 Enhancement to password protection policy In addition to previous password policies, we required all newly changed system access passwords to be 12 characters long, comprising English letters with at least one upper case, numbers and special characters. To enhance policies and SOPs May 2021 set in place to guide staff on the password management for systems and documents containing personal information. 14 Completed Staff were also reminded to adhere to password guidelines: i. Staff should send password using a different channel; Staff should set password that are unique, unpredictable and changed on a regular basis ii. 4 Enhanced outlook system security This ensures that IT solutions May to July 2021 are in place to prevent personal data leakage. e2i has implemented the following system security: • • • Secure Web Gateway and Data Leak Prevention solutions in e2i laptop Data Loss Prevention feature to protect sensitive information in Microsoft O365 environment Implemented Geo-location restriction for Microsoft O365 accounts 15 Completed 5 Continuous effort to conduct regular PDPA Staff are equipped with PDPA On-going and cybersecurity awareness training and to knowledge and adequate competencies share good cybersecurity practices with to comply with our SOPs and policies. employees. • • • • • All new staff (including temps) need to complete an e-learning module on PDPA 101 within their 1st week of joining and before they handle personal data Yearly PDPA workshop for all staff Advisory emails sent to staff to remind them about good PDPA and cybersecurity practices Organisation-wide meetings feature a segment on good PDPA practices, reminders on PDPA governance Internal meetings (Risk/Management meetings) – PDPA compliance is regularly highlighted and addressed. 16 Completed 6 Masking of personal information on e2i’s registration page This will avoid any user using October 2021 another NRIC number to access another person's personal data To implement the masking of personal data within the Events after registration for an event due to the auto-population Management System registration confirmation page, only leaving the user’s partially masked contact number within the feature Completed user interface. The individual needs to only verify event details they have signed up for. CONFIDENTIAL Page 1 of 1 ",1002 55,4645cfe245e8b1962cc53697dbdcb6ddace8b58b,30,Employment and Employability Institute Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-employment-and-employability-institute-pte-ltd,2023-07-20,"Background The Personal Data Protection Commission (the “Commission”) was notified by Employment and Employability Institute Pte. Ltd. on 25 March 2021 of a personal data breach involving its contact centre and data intermediary, i-vic International Pte. Ltd. (“i-vic). Investigations revealed that an employee of i-vic had most likely fallen prey to a phishing attack. As a result, a malicious actor successfully downloaded the personal data belonging to 31,002 individuals, from 2 email accounts belonging to the i-vic employee (the “Incident”).The personal data affected included the individuals’ partial or full NRIC, date of birth, telephone number, email address, residential address, highest qualification, and employment details. Further investigations found that i-vic had reasonable security measures in place to protect the personal data that it processes on behalf of e2i. i-vic had anti-virus protection, anti-phishing protection, regular anti-virus scans, security audits and conducted regular patches for its IT system. In fact, i-vic had existing anti-malware software which should have been able to detect the particular malware used in the Incident, but somehow failed to do so. After the Incident, i-vic purchased and deployed additional anti-malware software. Finally, the Commission found that i-vic had comprehensive policies and guidelines in place to protect personal data. While i-vic had reasonable security arrangements in place to protect the personal data it processes, the Commission established that this was entirely on i-vic’s account and not because of e2i’s bidding. e2i had failed to stipulate any specific data protection requirements on i-vic in their contract. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. i-vic produced evidence of several occasions where e2i’s employees had sent personal data to i-vic without any encryption or protection, which was against e2i’s standard operating procedures. Case No. DP-2106-B8424 A complainant alerted the Commission of a personal data breach involving e2i’s website on 21 June 2021. e2i's website had been designed in such a way that it would automatically populate and display all the data fields e2i had of an individual in its possession without the need for further authentication once an individual's NRIC number is keyed in to access e2i's website and register for a course, talk, or event. As a result, the personal data of 102,151 individuals was at risk of being disclosed. The personal data affected included the individuals’ name, citizenship, union membership status, gender, race, education, employment information, work experience, background, health records, and other partially masked personal data including NRIC number, date of birth, email address, postal code and contact number. As this personal data breach involving e2i's website occurred when the Commission was investing Case No. DP-2103-B8132, the Commission considered both cases involving e2i together. Remedial Actions After the incidents, as part of a remediation plan, e2i put in place the following measures which included: (a) Strengthening its data protection governance with the assistance of an independent vendor; (b) Engaging a professional company to conduct IT risk assessment audits on third-party vendors; (c) Implementing a one-time password (""OTP"") authentication for individuals using its website; (d) Ensuring that i-vic has the necessary systems and processes in place to protect personal data; (e) Tightening its vendor selection process' (f) Enhancing its password protection policy; (g) Enhancing its outlook system security;   (h) Made continuous effort to conduct regular staff training; and   (i) Masking personal data on its website   The Commission was also satisfied with the additional remedial actions undertaken by i-vic. Undertaking Having considered the circumstances of both cases, the Commission accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 10 March 2022 (the Undertaking). The Commission accepted the Undertaking as it was satisfied that notwithstanding e2i’s failure to stipulate personal data protection requirements in its contract with i-vic, e2i had engaged i-vic on account of i-vic’s good personal data protection policies and processes. For the personal data breach that affected e2i’s website, while the personal data of 102,151 individuals was at risk of being disclosed, the impact of the personal data breach was limited as e2i promptly took remediation action after being alerted by the Commission of the complaint received. e2i worked with its vendor to ensure that save for the last 4 digits of an individual’s contact number, the website no longer displayed any of the personal data fields of an individual. As part of the Undertaking, e2i eventually implemented an OTP authentication for individuals using its website.   The Commission accepted the Undertaking as this is consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected e2i’s website, where there is no evidence to suggest that there has been unauthorised access or data exfiltration. e2i has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that e2i has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---e2i-2023.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Employment and Employability Pte. Ltd. UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, 1 including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and 2 if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. 3 SIGNED, for and on behalf of ) Employment and Employability Institute Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A 5 SUMMARY OF FACTS DP-2106-B8424 1. On 2 June 2021, the PDPC received feedback of a personal data breach incident by Employment and Employability Institute Pte. Ltd. (""e2i""). When an individual registers for a course, talk or event organised by e2i on e2i’s website, the website would automatically populate and display an individual’s personal data once an individual’s NRIC number is inserted into the website. If an individual uses the person’s NRIC number on e2i’s website, there would be the risk of unauthorised disclosure of personal data by e2i if such use had not been duly authorised. 2. As a result, the personal data of 102,151 individuals’ was at risk of a potential personal data breach. The types of personal data affected included the following: i) Name ii) Citizenship iii) Union member status iv) Gender v) Race vi) Highest education level vii) Unemployed since viii) Unemployment duration (months) ix) Reason for unemployment x) Education level detail (field of study, qualification name/title, institution, date of completion) xi) Work experience (From, to, company name, industry, job title, job duties, masked last drawn salary/month) xii) Background and health (Ex-offender, bankruptcy, color blindness, medical illness, drug abuse) xiii) Partially masked NRIC xiv) Partially masked date of birth xv) Partially masked email address xvi) Partially masked postal code xvii) Partially masked contact number (Home/HP) 3. The PDPC notes that there was no evidence of exfiltration of the personal data. 6 DP-2103-B8132 1. On 25 March 2021, the PDPC received a data breach notification from e2i, which involved its outsourced contact centre, i-vic International Pte. Ltd. (“ivic”). Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. It was found that i-vic had put in place reasonable security arrangements despite the data breach. 2. However, it was found that e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary, and in its contract with i-vic. It was also found that e2i lacked sufficiently robust processes to protect personal data during transmission. There were at least 18 occasions where e2i’s employees had sent large volumes of personal data to i-vic without protection. 3. The personal data of 31,002 individuals’ was downloaded by a malicious actor in the incident. The types of personal data affected included the following: i) NRIC ii) Partial NRIC Number iii) Date of Birth iv) Mobile Number v) Landline vi) Email Address vii) Residential Address viii) Highest Qualification ix) Employment Details – containing salary, employment status, occupation or company name 7 SCHEDULE B 8 REMEDIATION PLAN A. In Progress S/N 1 Remedial Steps/Measures How does this measure address Target Completion date the issue Strengthen e2i’s data protection governance This will ensure our Data Protection Management Programme (DPMP) is relevant and optimised for operations and continuous improvements: e2i will appoint an independent vendor to conduct a professional review of our organisation's data protection practices through a comprehensive health check. The scope of engagement will include: • • • • Assessment of our existing data protection policies and practices, and recommend solutions to close gaps; Conduct a table-top exercise to test the data breach response plan; Managing our data intermediaries by putting in place governance and risk assessment; policies and practices; service management, and exit management. After the above review has been implemented, the vendor will continue to review our data protection policies and practices through regular health checks. This will enable us to continually 9 • • Status 16 Feb 2023 - we are looking In progress at a 1-year timeframe to complete the exercise with the following breakdown: 4 months: Confirming review specifications and Data collected is adequate, relevant and appointment of an limited to what is independent vendor to assess necessary and processed our existing policies, with the intended guidelines, and SOPs. purpose. Interview business units to Ensure appropriate controls are in place to identify relevant work secure data and processes and gaps. procedures in place for staff to recognise and respond to potential data breach incidences. 5 months: Review and implement recommendations Ensure there is a framework and process to bridge all gaps. Conduct identify and address risks and gaps and implement solutions to close them. to govern our data intermediaries table-top exercise to test data breach response plan. 3 months: Produce reports on the reviews and table top exercises that were carried out. Setup proactive monitoring such as regular audit period and inspection exercises for our practices and data intermediaries. 10 2 Professional IT security review and tightening of vendor selection process This will ensure better governance on Jun 2022 our third-party vendors' IT security and data protection capability. e2i has engaged a professional company to conduct IT Risk Assessment Audits on third-party vendors to ensure our vendors have the necessary cybersecurity frameworks and systems in place for data protection. Criteria(s) are put in place to tighten our vendor selection process. This ensures that the vendor has frameworks and procedures in place to manage and protect data, such as its storage security and access rights by different types of users; how does the vendor ensure compliance with PDPA such as training of staff and the IT system’s robustness. 11 In progress 3 OTP Implementation on e2i’s website With the OTP, users will have the Option 1: Mar 2022 added protection of their personal data from being accessed by anyone Option 2: Oct 2022 using their NRIC number Option 1 To implement an authentication (via OTP) interface before an individual reached the personal data confirmation page using the current Events Management SystHem (""EMS"") In progress. e2i will review whether to renew contract with current vendor or explore a new EMS and update PDPC on its decision of implementing Option 1 or Option 2 by Mar 2022. Option 2 As current EMS is due for renewal or change by Oct 2022, e2i may explore a new EMS. In this case, e2i will implement the OTP on the new EMS. However, this means e2i will need a longer timeline as e2i has to evaluate different vendors and the functionalities the vendors can offer. In the meantime, information has been masked such that only the user’s partially masked contact number is left, which is not identifiable. 12 B. Implemented S/N 1 Remedial Steps/Measures How does this measure address the issue Timeframe Status IT and personal data handling checks on Call Centre vendors To prevent further March 2021 (for i-vic) Completed unauthorised access and September 2021 (for Agape due For i-vic International (Contract ended 31 Aug 2021): ensure that our call centre has the necessary IT systems and to change in vendor) • All i-vic staff supporting e2i’s work are processes in place to protect using company-issued desktops and our personal data. laptops. No unmanaged devices, including mobiles, are used for e2i’s work. • Implementation of multi-factor authentication to all user accounts supporting e2i’s work and scanning all staffs’ laptops to ensure no further incidence of malware • Advisory to i-vic to adopt different modes of communication for sharing of passwords. For new call centre Agape Connecting People Pte Ltd (Contract started from 1 September 2021) Checks were made to ensure they had: • Secured data management system 13 • • • • • Safer mail software (Microsoft 365 with 2-factor enabled password authentication) Secured data centre (Managed offsite at Telin, ISO certified vendor (ISO/IEC 27001:2013) Secured network server (Lantone Systems, housed locally, same company serving SingTel) 24/7 IT systems monitoring Overall enhancement in data sharing methods between vendor and e2i • 2 Quarterly review on IT systems Tightened vendor selection process To ensure better governance on our third-party vendors' IT security and data protection Current and future third-party vendors dealing with personal capability. data to complete an Information Security Third-party assessment questionnaire to understand their processes on capturing personal data, IT security controls, and compliance. From April 2021 Completed Incorporate legal clauses on PDPA data management in current and future contracts with vendors 3 Enhancement to password protection policy In addition to previous password policies, we required all newly changed system access passwords to be 12 characters long, comprising English letters with at least one upper case, numbers and special characters. To enhance policies and SOPs May 2021 set in place to guide staff on the password management for systems and documents containing personal information. 14 Completed Staff were also reminded to adhere to password guidelines: i. Staff should send password using a different channel; Staff should set password that are unique, unpredictable and changed on a regular basis ii. 4 Enhanced outlook system security This ensures that IT solutions May to July 2021 are in place to prevent personal data leakage. e2i has implemented the following system security: • • • Secure Web Gateway and Data Leak Prevention solutions in e2i laptop Data Loss Prevention feature to protect sensitive information in Microsoft O365 environment Implemented Geo-location restriction for Microsoft O365 accounts 15 Completed 5 Continuous effort to conduct regular PDPA Staff are equipped with PDPA On-going and cybersecurity awareness training and to knowledge and adequate competencies share good cybersecurity practices with to comply with our SOPs and policies. employees. • • • • • All new staff (including temps) need to complete an e-learning module on PDPA 101 within their 1st week of joining and before they handle personal data Yearly PDPA workshop for all staff Advisory emails sent to staff to remind them about good PDPA and cybersecurity practices Organisation-wide meetings feature a segment on good PDPA practices, reminders on PDPA governance Internal meetings (Risk/Management meetings) – PDPA compliance is regularly highlighted and addressed. 16 Completed 6 Masking of personal information on e2i’s registration page This will avoid any user using October 2021 another NRIC number to access another person's personal data To implement the masking of personal data within the Events after registration for an event due to the auto-population Management System registration confirmation page, only leaving the user’s partially masked contact number within the feature Completed user interface. The individual needs to only verify event details they have signed up for. CONFIDENTIAL Page 1 of 1 ",1007 28,e8a35c8ba86b53f90b846840d2c6ebc453ead910,28,Simmons (Southeast Asia) Private Limited,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Simmons-Southeast-Asia-Private-Limited,2023-06-22,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited (""SPL"") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware. The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work. Remedial Actions After the incident, as part of a remediation plan, SPL put in place measures including: (a) Reformatted and restored the test server; (b) Closed the RDP port; (c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access; (d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server; (e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form; (f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised;  (g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy; (h) Ensured that employees do not use easily guessable passwords; (i) Implemented multi-factor authentication; (j) Ensured that SPL’s endpoint protection / intrusion detection / prevention detection systems are installed on all servers and endpoints, regardless of whether they are production or test servers/endpoints; (k) Encrypted all personal data stored on its servers; (l) Reviewed and updated its internal policies/processes relating to the collection, use, disclosure, protection, and retention of personal data; (m) Strengthened its incident response plan; and (n) Implemented periodic penetration testing. Undertaking  Having considered the short duration during which the RDP port had been left open, the Organisation’s early detection of the ransomware attack, and the prompt and effective remedial steps taken by SPL to improve its data protection practices thereafter, the Commission accepted an undertaking from SPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 October 2022 (the “Undertaking”). SPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SPL has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Simmons-Southeast-Asia-Limited.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Simmons (Southeast Asia) Private Limited UEN: 199303272D Registered Address: 300 Beach Road, #25-03, The Concourse, Singapore 199555 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation Page 1 of 16 appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as Page 2 of 16 creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Simmons (Southeast Asia) Private Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: _________________________________ ) Personal Data Protection ) Date: _______________________________________ ) Page 3 of 16 SCHEDULE A Page 4 of 16 SUMMARY OF FACTS 1. On 17 August 2022, the PDPC was informed that a server which the Organisation’s and set up for testing purposes was subject to a ransomware attack, resulting in the encryption of a backup copy of its database. 2. As a result, the personal data of 87,824 customers including their name, address, email address, telephone number, and transaction information was encrypted. In addition, the data of another 128 employees, including their name, business email address, and user ID and password for internal software accounts was also encrypted. There was no evidence of any exfiltration of personal data. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the possible cause of the personal data breach. Page 5 of 16 SCHEDULE B Page 6 of 16 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) Technical Remediation 1.1. The attacker(s) likely SPL reformatted and 11 August 2022 accessed the test restored the affected test (completed) server through the RDP server to a pre-infected port which was opened version. to public internet 2. access. SPL closed the RDP port of 10 August 2022 the test server from public (completed) internet access. 3. SPL will ensure that any 12 August 2022 connection to any of SPL’s (completed) servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access. Page 1 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) 4. SPL has issued a 12 August 2022 SSL/VPN account to its (completed) vendor for the vendor to connect to SPL’s network before accessing the test server. 5. SPL has shut down the test 22 August 2022 server and will not (completed) reactivate the test server for development work until the appropriate security measures are implemented. 6. SPL used production SPL data on a test server. will remove all 13 September production data containing 2022 (completed) personal data from test servers and ensure that any future test servers will Page 2 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) not contain personal data in any form, and will only utilise test data from which personal data cannot be derived. 7. SPL will set up all future When required. test servers on a separate domain so possibility that of the lateral movement is minimised. SPL will include this as a requirement in the written internal policies/processes to be published under SN14 below. 8. Since the test server SPL will ensure that the 25 October 2022 was a new server set up passwords used on test solely for development servers work, SPL’s (including the existing current test server) comply Page 3 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) password policy was with not implemented. SPL’s existing password policy. SPL will also require all employees 2. to use password generation and management software to ensure that passwords are “random” and do not contain easily guessable words (e.g. SPL’s name). SPL will include this as a requirement in the written internal policies/processes to be published under SN14 below. Page 4 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) 9. 3. SPL will also implement 29 November multi-factor authentication 2022 for all possible account logins (including 4. administrators) in SPL, including accounts on test servers. 10. As the test server was a SPL will research on 29 November new server, it was not available IDS/IPS in order 2022 connected Symantec to SPL’s to implement and integrate Endpoint a suitable IDS/IPS into is Protection system. systems. SPL only has Symantec SPL will review its current Endpoint Protection logging locations and system in place and strategies as well as look does not have in place into available logs. any other intrusion SPL will evaluate logging solutions in order to pick a Page 5 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) detection or prevention solution that would best fit detection systems. 11. the organization. SPL will ensure that SPL’s When required endpoint protection / intrusion detection / prevention detection systems is installed on all servers and endpoints, regardless of whether they are production or test servers/endpoints, at the time the server or relevant machine is set up. SPL will include this as a requirement in the written internal policies/processes to be published under SN14 below. Page 6 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) 12. The personal data that All personal data stored in Ongoing. was uploaded onto the any of SPL’s servers will be Encryption of data test server was not encrypted. encrypted. stored on SPL’s human resources server has been completed. Encryption of other servers will be completed by 15 November 2022 13. SPL informed all users to 18 August 2022 change the passwords for (Completed) all their accounts in SPL’s IT environment. SPL thereafter enforced this by manually expiring Page 7 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) all the passwords within SPL’s control, such as for the user domain accounts, SAP accounts, and SSL/VPN accounts. Out of an abundance of caution, SPL also informed all users to change the passwords of any accounts which used a SPL domain address. Policies/Process Remediation 14. There were no written SPL will review and update 17 October 2022 polices / processes/ its internal guidelines relating to policies/processes relating the collection, disclosure, and use, to the collection, use, protection, disclosure, protection, and retention of retention of personal data Page 8 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) personal data in the in the possession and/or possession and/or custody of SPL and/or its custody of SPL and/or employees, including but its employees in place. not limited to ensuring the proper documentation of the policies and processes and enhancing training for all staff on their data protection obligations 15. Strengthen response plan incident SPL will draft an Incident 10 October 2022 Response Plan. The (Completed) Incident Response Plan will outline the plan for responding to information security containing incidents the following information: a. Scope; Page 9 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) b. Incident Response Methodology; c. Incident Response Phases; d. Guidelines for the Incident Response Process; and e. Documentation, Tracking and Reporting. 16. There was no written SPL will endeavour to SPL will either contract in place with enter into a written contract enter into a written SPL’s IT regarding Vendor with its IT Vendor which agreement with its the IT contractually obliges the IT IT Vendor’s provision of Vendor to protect Vendor or the determine if it will hosting services to SPL, personal data stored by switch to a new which could provisions include SPL. for vendor the by 1 November 2022. Alternatively, SPL will protection of personal If SPL determines endeavour to enter into a data. that it should enter written agreement with a Page 10 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) different vendor on terms into a written which oblige the vendor to agreement with a protect the personal data different stored by SPL. vendor, SPL will do so by 15 November 2022. 17. Vulnerability testing SPL will research available on 29 November vulnerability 2022 testing solutions in order to conduct a suitable penetration test after the above mentioned steps are taken. SPL will also implement periodic penetration testing. Page 11 of 11 ",1002 29,660b9a2c97633c0645edb31c89fded7da06491b4,29,Metropolis Security Systems Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Metropolis-Security-Systems-Pte-Ltd,2023-06-22,"Background  In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port. The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder; (b) Review the classification of information in its asset register at least once a year; (c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012; (d) Conduct adequate internal tests and penetration tests; and (e) Embark on ISO27001 implementation with an external consultant. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Metropolis-Security-Systems-Pte-Ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Metropolis Security Systems Pte Ltd UEN: 201008279K Registered Address: 20 Sin Ming Lane #08-63 Midview City, Singapore (573968) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 9 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 9 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 9 SIGNED, for and on behalf of ) Metropolis Security Systems Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: _________ _________________ ) Designation: Deputy Commissioner/Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 9 SCHEDULE A Page 5 of 9 SUMMARY OF FACTS 1. In June 2022, Metropolis Security Systems Pte Ltd was notified that their files with personal data could have been exposed online via an open port. 2. The exposure was due to a public folder that was configured to an open port during a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC numbers, address, mobile number and bank account number could have been affected. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 6 of 9 SCHEDULE B Page 7 of 9 S/N Issue Remedial Actions Completion Date 1 Unintentional change Both sensitive and confidential Completed of data in an documents (i.e. contracts and information system supporting document with specification and scope, employment contracts) are stored centrally in HQ NAS folder with password protected. 2 Deleting of Expired Records Review all PII records and to delete/destroy all expired records and records not required to be retained. 3 Disclosure of Information Classification of information in 31 Dec 2022 Asset register to be reviewed at least once a year. 4 Disclosure of Information by Vendor System checklist review to be conducted after every Vendor session. Completed 5 Compromising Confidential Information Access control rights review half yearly and upon staff movements. 30 Sep 2022 31 Oct 2022 Domain activity log monitoring quarterly. 6 Inadequate supervision of vendors Supplier and Vendors awareness training on ISMS at least once a year and also for IT manager to monitor vendors/supplier at all time for quality assurance purposes. 30 Sep 2022 Page 8 of 9 7 Inadequate supervision of vendors Implement documentation (contract agreement) with PDPA guidelines for all vendors/supplier 30 Nov 2022 8 Insufficient infrastructure testing Conduct adequate internal tests and penetration tests 31 Dec 2022 9 Insufficient security testing Conduct complete security review across MSS 31 Dec 2022 10 Enhance information Embarked on ISO27001 security processes implementation with external and implementation consultant 31 Dec 2022 Page 9 of 9 ",1002 53,2e5f804ece93b20adf5cf54c93ad1e92c40af7cf,28,Simmons (Southeast Asia) Private Limited,https://www.pdpc.gov.sg/undertakings/undertaking-by-simmons-southeast-asia-private-limited,2023-06-22,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited (""SPL"") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware. The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work. Remedial Actions After the incident, as part of a remediation plan, SPL put in place measures including: (a) Reformatted and restored the test server; (b) Closed the RDP port; (c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access; (d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server; (e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form; (f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised;  (g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy; (h) Ensured that employees do not use easily guessable passwords; (i) Implemented multi-factor authentication; (j) Ensured that SPL’s endpoint protection / intrusion detection / prevention detection systems are installed on all servers and endpoints, regardless of whether they are production or test servers/endpoints; (k) Encrypted all personal data stored on its servers; (l) Reviewed and updated its internal policies/processes relating to the collection, use, disclosure, protection, and retention of personal data; (m) Strengthened its incident response plan; and (n) Implemented periodic penetration testing. Undertaking  Having considered the short duration during which the RDP port had been left open, the Organisation’s early detection of the ransomware attack, and the prompt and effective remedial steps taken by SPL to improve its data protection practices thereafter, the Commission accepted an undertaking from SPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 October 2022 (the “Undertaking”). SPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SPL has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---simmons-southeast-asia-limited.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Simmons (Southeast Asia) Private Limited UEN: 199303272D Registered Address: 300 Beach Road, #25-03, The Concourse, Singapore 199555 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation Page 1 of 16 appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as Page 2 of 16 creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Simmons (Southeast Asia) Private Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: _________________________________ ) Personal Data Protection ) Date: _______________________________________ ) Page 3 of 16 SCHEDULE A Page 4 of 16 SUMMARY OF FACTS 1. On 17 August 2022, the PDPC was informed that a server which the Organisation’s and set up for testing purposes was subject to a ransomware attack, resulting in the encryption of a backup copy of its database. 2. As a result, the personal data of 87,824 customers including their name, address, email address, telephone number, and transaction information was encrypted. In addition, the data of another 128 employees, including their name, business email address, and user ID and password for internal software accounts was also encrypted. There was no evidence of any exfiltration of personal data. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the possible cause of the personal data breach. Page 5 of 16 SCHEDULE B Page 6 of 16 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) Technical Remediation 1.1. The attacker(s) likely SPL reformatted and 11 August 2022 accessed the test restored the affected test (completed) server through the RDP server to a pre-infected port which was opened version. to public internet 2. access. SPL closed the RDP port of 10 August 2022 the test server from public (completed) internet access. 3. SPL will ensure that any 12 August 2022 connection to any of SPL’s (completed) servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access. Page 1 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) 4. SPL has issued a 12 August 2022 SSL/VPN account to its (completed) vendor for the vendor to connect to SPL’s network before accessing the test server. 5. SPL has shut down the test 22 August 2022 server and will not (completed) reactivate the test server for development work until the appropriate security measures are implemented. 6. SPL used production SPL data on a test server. will remove all 13 September production data containing 2022 (completed) personal data from test servers and ensure that any future test servers will Page 2 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) not contain personal data in any form, and will only utilise test data from which personal data cannot be derived. 7. SPL will set up all future When required. test servers on a separate domain so possibility that of the lateral movement is minimised. SPL will include this as a requirement in the written internal policies/processes to be published under SN14 below. 8. Since the test server SPL will ensure that the 25 October 2022 was a new server set up passwords used on test solely for development servers work, SPL’s (including the existing current test server) comply Page 3 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) password policy was with not implemented. SPL’s existing password policy. SPL will also require all employees 2. to use password generation and management software to ensure that passwords are “random” and do not contain easily guessable words (e.g. SPL’s name). SPL will include this as a requirement in the written internal policies/processes to be published under SN14 below. Page 4 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) 9. 3. SPL will also implement 29 November multi-factor authentication 2022 for all possible account logins (including 4. administrators) in SPL, including accounts on test servers. 10. As the test server was a SPL will research on 29 November new server, it was not available IDS/IPS in order 2022 connected Symantec to SPL’s to implement and integrate Endpoint a suitable IDS/IPS into is Protection system. systems. SPL only has Symantec SPL will review its current Endpoint Protection logging locations and system in place and strategies as well as look does not have in place into available logs. any other intrusion SPL will evaluate logging solutions in order to pick a Page 5 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) detection or prevention solution that would best fit detection systems. 11. the organization. SPL will ensure that SPL’s When required endpoint protection / intrusion detection / prevention detection systems is installed on all servers and endpoints, regardless of whether they are production or test servers/endpoints, at the time the server or relevant machine is set up. SPL will include this as a requirement in the written internal policies/processes to be published under SN14 below. Page 6 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) 12. The personal data that All personal data stored in Ongoing. was uploaded onto the any of SPL’s servers will be Encryption of data test server was not encrypted. encrypted. stored on SPL’s human resources server has been completed. Encryption of other servers will be completed by 15 November 2022 13. SPL informed all users to 18 August 2022 change the passwords for (Completed) all their accounts in SPL’s IT environment. SPL thereafter enforced this by manually expiring Page 7 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) all the passwords within SPL’s control, such as for the user domain accounts, SAP accounts, and SSL/VPN accounts. Out of an abundance of caution, SPL also informed all users to change the passwords of any accounts which used a SPL domain address. Policies/Process Remediation 14. There were no written SPL will review and update 17 October 2022 polices / processes/ its internal guidelines relating to policies/processes relating the collection, disclosure, and use, to the collection, use, protection, disclosure, protection, and retention of retention of personal data Page 8 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) personal data in the in the possession and/or possession and/or custody of SPL and/or its custody of SPL and/or employees, including but its employees in place. not limited to ensuring the proper documentation of the policies and processes and enhancing training for all staff on their data protection obligations 15. Strengthen response plan incident SPL will draft an Incident 10 October 2022 Response Plan. The (Completed) Incident Response Plan will outline the plan for responding to information security containing incidents the following information: a. Scope; Page 9 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) b. Incident Response Methodology; c. Incident Response Phases; d. Guidelines for the Incident Response Process; and e. Documentation, Tracking and Reporting. 16. There was no written SPL will endeavour to SPL will either contract in place with enter into a written contract enter into a written SPL’s IT regarding Vendor with its IT Vendor which agreement with its the IT contractually obliges the IT IT Vendor’s provision of Vendor to protect Vendor or the determine if it will hosting services to SPL, personal data stored by switch to a new which could provisions include SPL. for vendor the by 1 November 2022. Alternatively, SPL will protection of personal If SPL determines endeavour to enter into a data. that it should enter written agreement with a Page 10 of 11 No. Potential Risk Remediation Plan Target Factors/Improvement Completion Areas (Date) different vendor on terms into a written which oblige the vendor to agreement with a protect the personal data different stored by SPL. vendor, SPL will do so by 15 November 2022. 17. Vulnerability testing SPL will research available on 29 November vulnerability 2022 testing solutions in order to conduct a suitable penetration test after the above mentioned steps are taken. SPL will also implement periodic penetration testing. Page 11 of 11 ",1007 54,a58e31a0799824b378e72d888d006a078b3f432e,29,Metropolis Security Systems Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-metropolis-security-systems-pte-ltd,2023-06-22,"Background  In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port. The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder; (b) Review the classification of information in its asset register at least once a year; (c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012; (d) Conduct adequate internal tests and penetration tests; and (e) Embark on ISO27001 implementation with an external consultant. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---metropolis-security-systems-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Metropolis Security Systems Pte Ltd UEN: 201008279K Registered Address: 20 Sin Ming Lane #08-63 Midview City, Singapore (573968) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 9 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 9 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 9 SIGNED, for and on behalf of ) Metropolis Security Systems Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: _________ _________________ ) Designation: Deputy Commissioner/Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 9 SCHEDULE A Page 5 of 9 SUMMARY OF FACTS 1. In June 2022, Metropolis Security Systems Pte Ltd was notified that their files with personal data could have been exposed online via an open port. 2. The exposure was due to a public folder that was configured to an open port during a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC numbers, address, mobile number and bank account number could have been affected. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 6 of 9 SCHEDULE B Page 7 of 9 S/N Issue Remedial Actions Completion Date 1 Unintentional change Both sensitive and confidential Completed of data in an documents (i.e. contracts and information system supporting document with specification and scope, employment contracts) are stored centrally in HQ NAS folder with password protected. 2 Deleting of Expired Records Review all PII records and to delete/destroy all expired records and records not required to be retained. 3 Disclosure of Information Classification of information in 31 Dec 2022 Asset register to be reviewed at least once a year. 4 Disclosure of Information by Vendor System checklist review to be conducted after every Vendor session. Completed 5 Compromising Confidential Information Access control rights review half yearly and upon staff movements. 30 Sep 2022 31 Oct 2022 Domain activity log monitoring quarterly. 6 Inadequate supervision of vendors Supplier and Vendors awareness training on ISMS at least once a year and also for IT manager to monitor vendors/supplier at all time for quality assurance purposes. 30 Sep 2022 Page 8 of 9 7 Inadequate supervision of vendors Implement documentation (contract agreement) with PDPA guidelines for all vendors/supplier 30 Nov 2022 8 Insufficient infrastructure testing Conduct adequate internal tests and penetration tests 31 Dec 2022 9 Insufficient security testing Conduct complete security review across MSS 31 Dec 2022 10 Enhance information Embarked on ISO27001 security processes implementation with external and implementation consultant 31 Dec 2022 Page 9 of 9 ",1007 27,435234e817ffdbe595771e1c0dfb3d270b6b5997,27,SpeeDoc Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Speedoc-Pte-Ltd,2023-05-11,"Background  The Personal Data Protection Commission (the “Commission”) was informed on 27 October 2020 that SpeeDoc Pte. Ltd's (“Organisation”) AWS S3 bucket was incorrectly configured which enabled public access to the personal data stored within. The personal data of 12,652 individuals, including their names, phone numbers, email addresses was potentially publicly accessible. Of the 12,652 individuals affected, the NRIC numbers of 22 individuals, laboratory test results of 34 individuals, profile pictures of 492 individuals, and photos of their medication and symptoms (rashes and wounds) submitted by 157 individuals to the Organisation was also made potentially publicly accessible. Remedial Actions To prevent recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Conducting an IT security audit to identify and rectify security vulnerabilities in its network and systems;   (b) Attaining the ISO27001 Certification to ensure that its information systems are aligned with the industry's best practices and protected against malware and loss of data; (c) Sending its key team members to undergo relevant security and data protection training on Amazon Web Services; and (d) Sending its employees to attend cyber and data protection awareness training to ensure that they are equipped with the relevant knowledge to identify and mitigate security threats.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 28 April 2022 (the “Undertaking”).   The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Speedoc-Pte-Ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SpeeDoc Pte Ltd UEN: 201705599R Registered Address: 991C Alexandra Road #01-13B Singapore 119971 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the Page 1 of 10 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 10 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 10 SIGNED, for and on behalf of ) SpeeDoc Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 10 SCHEDULE A Page 5 of 10 SUMMARY OF FACTS 1. On 27 October 2020, the PDPC was informed that the Organisation’s AWS3 bucket was incorrectly configured which enabled public access to the personal data stored within. 2. Consequently, the personal data of 12,652 individuals including their names, phone numbers, email addresses, NRIC numbers, lab test results, profile pictures, and photos of symptoms and medicines was exposed to public access. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 6 of 10 SCHEDULE B Page 7 of 10 Remediation Actions Purpose Security training for Engineering team Ensure competency of engineering staff tasked with development of Speedoc web and applications and are familiar with. Target Completion Date April 2022 Details AWS Certification: Jeffrey Gan - Information Security Manager Nina Wiryanto - React Developer Formation of Security Team In-house department tasked with developing security framework, policies and procedures that provide adequate information systems protection. Completed Information Security Manager - Jeffrey Gan (Oct 2021) IT Executive - James Yeo (Sept 2021) DevOps Engineer - Rudy Moniaga (Jan 2022) ISO 27001 Certification Implementation of an information security management system aligning with the industry's best practices. June 2021 Expected completion in August 2022 due to expansion of scope Implementation Progress: 42% Page 8 of 10 Remediation Actions Target Completion Date Details Ensure appropriate and secure operations of Completed on 22 information systems, that information systems October 2021 are protected against malware and loss of data, that events are logged, and compliance monitored, that operating system software is controlled, that the exploitation of technical vulnerabilities is prevented, and that the impact of audit activities on operational systems is minimized. ISO 27001 Annex A.12 Systems Acquisition and Development Security Policy Ensure that security is an integral part of Completed on 22 information systems across their entire October 2021 lifecycle, including those that provide services over public networks, that information security is integrated into the system development life cycle, and to ensure the protection of data used for testing. ISO 27001 Annex A.14 Incident Management Procedures To ensure that Speedoc is ready to bring together necessary resources in an organized manner in the event of an incident. ISO 27001 Annex A.16 IT Operating Procedure Policy Purpose Completed on 22 October 2021 Policy documentation approved and signed on 22 October 2021 Policy documentation approved and signed on 22 October 2021 Policy documentation approved and signed on 22 October 2021 Page 9 of 10 Remediation Actions Purpose Third-party Security Audit Identify security vulnerabilities in our network and systems to eliminate or mitigate them. Target Completion Date To be done annually Details - Speedoc App - Speedoc Provider App - Speedoc’s Network Security Awareness Training for staff Training for InfoSec staff: Next test to be conducted on November 2022 - CIS AWS Foundation Benchmark Ensure Speedoc staff, especially those with access to sensitive data, are aware of current security threats and are equipped with required knowledge on security practices to mitigate the threats. To be done annually Current training is still in progress and done via Gnowbe: Improve staff expertise in security and data protection. Ensure Speedoc’s data protection measures are aligned with the latest legal requirements. 7 March 2022 - 23 SMU Advanced Certificate in Data June 2022 Protection Principles - James Yeo (IT Executive) Current training target completion date: March 2022 - AWS Security Hardening - Started in Nov 2021 Security Incident Response Security Awareness Page 10 of 10 ",1002 52,7e827aa6a1f272532e383ffa921ae8d06b208507,27,SpeeDoc Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-speedoc-pte-ltd,2023-05-11,"Background  The Personal Data Protection Commission (the “Commission”) was informed on 27 October 2020 that SpeeDoc Pte. Ltd's (“Organisation”) AWS S3 bucket was incorrectly configured which enabled public access to the personal data stored within. The personal data of 12,652 individuals, including their names, phone numbers, email addresses was potentially publicly accessible. Of the 12,652 individuals affected, the NRIC numbers of 22 individuals, laboratory test results of 34 individuals, profile pictures of 492 individuals, and photos of their medication and symptoms (rashes and wounds) submitted by 157 individuals to the Organisation was also made potentially publicly accessible. Remedial Actions To prevent recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Conducting an IT security audit to identify and rectify security vulnerabilities in its network and systems;   (b) Attaining the ISO27001 Certification to ensure that its information systems are aligned with the industry's best practices and protected against malware and loss of data; (c) Sending its key team members to undergo relevant security and data protection training on Amazon Web Services; and (d) Sending its employees to attend cyber and data protection awareness training to ensure that they are equipped with the relevant knowledge to identify and mitigate security threats.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 28 April 2022 (the “Undertaking”).   The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---speedoc-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SpeeDoc Pte Ltd UEN: 201705599R Registered Address: 991C Alexandra Road #01-13B Singapore 119971 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the Page 1 of 10 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 10 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 10 SIGNED, for and on behalf of ) SpeeDoc Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 10 SCHEDULE A Page 5 of 10 SUMMARY OF FACTS 1. On 27 October 2020, the PDPC was informed that the Organisation’s AWS3 bucket was incorrectly configured which enabled public access to the personal data stored within. 2. Consequently, the personal data of 12,652 individuals including their names, phone numbers, email addresses, NRIC numbers, lab test results, profile pictures, and photos of symptoms and medicines was exposed to public access. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 6 of 10 SCHEDULE B Page 7 of 10 Remediation Actions Purpose Security training for Engineering team Ensure competency of engineering staff tasked with development of Speedoc web and applications and are familiar with. Target Completion Date April 2022 Details AWS Certification: Jeffrey Gan - Information Security Manager Nina Wiryanto - React Developer Formation of Security Team In-house department tasked with developing security framework, policies and procedures that provide adequate information systems protection. Completed Information Security Manager - Jeffrey Gan (Oct 2021) IT Executive - James Yeo (Sept 2021) DevOps Engineer - Rudy Moniaga (Jan 2022) ISO 27001 Certification Implementation of an information security management system aligning with the industry's best practices. June 2021 Expected completion in August 2022 due to expansion of scope Implementation Progress: 42% Page 8 of 10 Remediation Actions Target Completion Date Details Ensure appropriate and secure operations of Completed on 22 information systems, that information systems October 2021 are protected against malware and loss of data, that events are logged, and compliance monitored, that operating system software is controlled, that the exploitation of technical vulnerabilities is prevented, and that the impact of audit activities on operational systems is minimized. ISO 27001 Annex A.12 Systems Acquisition and Development Security Policy Ensure that security is an integral part of Completed on 22 information systems across their entire October 2021 lifecycle, including those that provide services over public networks, that information security is integrated into the system development life cycle, and to ensure the protection of data used for testing. ISO 27001 Annex A.14 Incident Management Procedures To ensure that Speedoc is ready to bring together necessary resources in an organized manner in the event of an incident. ISO 27001 Annex A.16 IT Operating Procedure Policy Purpose Completed on 22 October 2021 Policy documentation approved and signed on 22 October 2021 Policy documentation approved and signed on 22 October 2021 Policy documentation approved and signed on 22 October 2021 Page 9 of 10 Remediation Actions Purpose Third-party Security Audit Identify security vulnerabilities in our network and systems to eliminate or mitigate them. Target Completion Date To be done annually Details - Speedoc App - Speedoc Provider App - Speedoc’s Network Security Awareness Training for staff Training for InfoSec staff: Next test to be conducted on November 2022 - CIS AWS Foundation Benchmark Ensure Speedoc staff, especially those with access to sensitive data, are aware of current security threats and are equipped with required knowledge on security practices to mitigate the threats. To be done annually Current training is still in progress and done via Gnowbe: Improve staff expertise in security and data protection. Ensure Speedoc’s data protection measures are aligned with the latest legal requirements. 7 March 2022 - 23 SMU Advanced Certificate in Data June 2022 Protection Principles - James Yeo (IT Executive) Current training target completion date: March 2022 - AWS Security Hardening - Started in Nov 2021 Security Incident Response Security Awareness Page 10 of 10 ",1007 26,a206ada196a8f23f7c840546f2c2efc81a92c816,26,Tat Hong Heavyequipment Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Tat-Hong-Heavyequipment-Pte-Ltd,2023-04-17,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 July 2022 from Tat Hong Heavyequipment (Pte.) Ltd (“Organisation”) regarding a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storage were affected. The personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Hardening of perimeter firewall and fine tune firewall configurations;   (b) Periodic vulnerability assessment and penetration testing done annually or after major systems upgrades; (c) Redesign network so that all traffic will through the main firewall for better visibility, monitoring and logging; (d) Implement multi-factor authentication for privileges and high-risk connections; (e) Ensure that all active PC and server are installed with Endpoint Detection and Response; (f) Upgrade existing HRMS that complies with latest industry standard encryption alogrithm; (g) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 October 2022 (the “Undertaking”).   The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.","https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Tat-Hong-Heavyequipment-(Pte,-d-,)-Ltd.pdf","WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Tat Hong Heavyequipment (Pte.) Ltd. UEN: 197801297W Registered Address:82 Ubi Avenue 4 #05-01 Edward Boustead Centre Singapore 408832 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Tat Hong Heavyequipment (Pte.) Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 11 July 2022, the Organisation was subjected to a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storge were affected. The threat actor had likely gained access to the Organisation’s network by exploiting an open Microsoft Remote Open Desktop protocol to a UAT server. 2. As a result, the personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/Passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. 3. The Organisation took immediate remedial actions vulnerabilities, to prevent a recurrence of a similar incident. to address SCHEDULE B Remediation Plan Status Target Date of Completion Network Security and Design 1) Hardening of the Perimeter Firewall. Fine tune Firewall Configuration / Settings to prevent malicious traffic from outside from gaining access to the Internal Network. Completed Aug 2022 a) Block Incoming RDP Protocol from All Public Facing servers and devices. b) Whitelisting of outgoing traffic from Internal Network to Public Network c) Control network traffic from internal network to DMZ Servers and vice versa. Only allowing required traffic to pass through. 2) To ensure effective controls are current and remain in place periodic Vulnerability Assessment and Penetration Testing will be done at least annually or after major systems upgrade/enhancement. a) Initial Vulnerability Assessment to assess the current state of our systems was conducted and form the basis of the remediation process. Completed Aug 2022 b) Pre-commissioning Penetration Testing will be conducted after all the major changes system changes/enhancements are completed to validate effectiveness of the current upgrades/enhancements. Scheduled Nov 2022 3) Engage third party security company to conduct security traffic monitoring and firewall rules review as well as vulnerability assessment to assess and rectify security deficiency and inefficiency and propose relevant rectification works. Completed Aug 2022 4) Get Additional Modules to enhance the capability of the Perimeter firewall. In progress Sep 2022 Page 1 of 5 a) Advance URL Filtering – manage users web access. b) DNS Security – protect against malware that abuses DNS for malicious activity. c) Wildfire – delivers inline machine learning to prevent never-before-seen file and web-based threats. 5) Engage Cyber-security expert to assist IT Staff and Company to enhance its security posture, compliance with regulatory requirements and to jumpstart the level of cybersecurity knowledge in company. Completed Aug 2022 6) Assigning static IP addressing for critical/high risk computers. All servers are using static IP addressing already. Completed Aug 2022 7) Additional physical server backup process that will be connected to the server farm during backup process and will be disconnected to the network after successful backup. Completed Aug 2022 8) Redesign network so that all traffic will pass through the main firewall for better visibility, monitoring and logging. In progress Oct 2022 a) Double stacking of firewall such that all traffic will pass through the secondary and main firewall. b) Separate/Isolated network for physical backup and Test Environment. c) Replication of physical server backup to disaster recovery site using SD-WAN. d) Consider site to site VPN to be accessible only during extended office hours. e) Micro segment Staff VLAN for better security rules implementation. Page 2 of 5 Identity and Access Management 9) Identity and Access Management Completed Aug 2022 a) Enforced enhanced password policy. b) Change Domain Administrators password. c) Randomized server local administrator password. d) Force Domain users to change their password and adhere to the enhanced password policy. e) Forced change of users email password. f) Clean up the AD - retaining only active users and machines and review access control. 10) Implement Multi-Factor Authentication for privileged accounts and high-risk connections. In progress Oct 2022 Endpoint Security 11) Ensure that all active PC and server are installed with Endpoint Detection and Response (EDR) Completed Aug 2022 a) Update all PC/Servers to the latest patch and definition of EDR + AV application. b) Update all PC/Servers with the latest windows update. c) Update/replaced outdated applications and operating system. 12) Upgrade advance EDR + AV application to replace the existing EDR + AV to include advance features such as machine learning and threat hunting. In progress Nov 2022 13) Measures against lateral movements and unauthorised changes. Related measures to reduced potential attack surface for lateral movement via a combination of windows policy and EPP/MDR solutions. Scheduled Nov 2022 Page 3 of 5 a) Remove unnecessary access to administrative shares where applicable and/or restrict admin shares to privileges to only necessary services or user accountsand perform continuous monitoring for anomalous activity using EPP/MDR. b) Ensure that upgraded EDR or have separate host-based firewall to only allow connections to administrative shares via server message block (SMB) for a limited set of administrative machines. c) Enabled protected files in the operating system to prevent unauthorised changes to the critical files. d) Disable Command line and scripting activities and permissions whenever possible and to allow restrictive access to only required machines as fully disabling the features would inhibits legitimate and productive uses of the command lines and scripting. 14) Enhance Cybersecurity Platform to improved security posture by implementing Managed Detection and Response (MDR) Scheduled Nov 2022 a) Using security expert to manage, monitor and respond to threats. b) Provides visibility across assets. c) Provide threat detection and real time prevention of identity based attack. d) Provide continuous, comprehensive visibility to endpoint activity. e) Protect against malware and malware-free threats. f) Managed threat hunting to stops hidden, advanced attacks. Page 4 of 5 Data Security 15) Purge Ex-Staff record in HR Server according to data retention policy. In progress Sep 2022 16) Upgrade existing HRMS that complies with latest Industry standard encryption algorithm. In progress Dec 2022 17) Data minimisation across all data stores. Full backup of personal datasets are done daily. Scheduled Nov 2022 In progress Oct 2022 a) Limit the backup data retention to 31 days and any back up older than 31 days will be purged automatically. People Management 18) End-user Awareness Training a) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. b) Be able to spot email impostor scam (Spoofing) and how to react to it. Page 5 of 5 ",1002 51,47c2f72ed2f7a938f25dd7e938f14d798436023d,26,Tat Hong Heavyequipment Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-tat-hong-heavyequipment-pte-ltd,2023-04-17,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 July 2022 from Tat Hong Heavyequipment (Pte.) Ltd (“Organisation”) regarding a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storage were affected. The personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Hardening of perimeter firewall and fine tune firewall configurations;   (b) Periodic vulnerability assessment and penetration testing done annually or after major systems upgrades; (c) Redesign network so that all traffic will through the main firewall for better visibility, monitoring and logging; (d) Implement multi-factor authentication for privileges and high-risk connections; (e) Ensure that all active PC and server are installed with Endpoint Detection and Response; (f) Upgrade existing HRMS that complies with latest industry standard encryption alogrithm; (g) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 October 2022 (the “Undertaking”).   The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.","https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---tat-hong-heavyequipment-(pte,-d-,)-ltd.pdf","WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Tat Hong Heavyequipment (Pte.) Ltd. UEN: 197801297W Registered Address:82 Ubi Avenue 4 #05-01 Edward Boustead Centre Singapore 408832 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Tat Hong Heavyequipment (Pte.) Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 11 July 2022, the Organisation was subjected to a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storge were affected. The threat actor had likely gained access to the Organisation’s network by exploiting an open Microsoft Remote Open Desktop protocol to a UAT server. 2. As a result, the personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/Passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. 3. The Organisation took immediate remedial actions vulnerabilities, to prevent a recurrence of a similar incident. to address SCHEDULE B Remediation Plan Status Target Date of Completion Network Security and Design 1) Hardening of the Perimeter Firewall. Fine tune Firewall Configuration / Settings to prevent malicious traffic from outside from gaining access to the Internal Network. Completed Aug 2022 a) Block Incoming RDP Protocol from All Public Facing servers and devices. b) Whitelisting of outgoing traffic from Internal Network to Public Network c) Control network traffic from internal network to DMZ Servers and vice versa. Only allowing required traffic to pass through. 2) To ensure effective controls are current and remain in place periodic Vulnerability Assessment and Penetration Testing will be done at least annually or after major systems upgrade/enhancement. a) Initial Vulnerability Assessment to assess the current state of our systems was conducted and form the basis of the remediation process. Completed Aug 2022 b) Pre-commissioning Penetration Testing will be conducted after all the major changes system changes/enhancements are completed to validate effectiveness of the current upgrades/enhancements. Scheduled Nov 2022 3) Engage third party security company to conduct security traffic monitoring and firewall rules review as well as vulnerability assessment to assess and rectify security deficiency and inefficiency and propose relevant rectification works. Completed Aug 2022 4) Get Additional Modules to enhance the capability of the Perimeter firewall. In progress Sep 2022 Page 1 of 5 a) Advance URL Filtering – manage users web access. b) DNS Security – protect against malware that abuses DNS for malicious activity. c) Wildfire – delivers inline machine learning to prevent never-before-seen file and web-based threats. 5) Engage Cyber-security expert to assist IT Staff and Company to enhance its security posture, compliance with regulatory requirements and to jumpstart the level of cybersecurity knowledge in company. Completed Aug 2022 6) Assigning static IP addressing for critical/high risk computers. All servers are using static IP addressing already. Completed Aug 2022 7) Additional physical server backup process that will be connected to the server farm during backup process and will be disconnected to the network after successful backup. Completed Aug 2022 8) Redesign network so that all traffic will pass through the main firewall for better visibility, monitoring and logging. In progress Oct 2022 a) Double stacking of firewall such that all traffic will pass through the secondary and main firewall. b) Separate/Isolated network for physical backup and Test Environment. c) Replication of physical server backup to disaster recovery site using SD-WAN. d) Consider site to site VPN to be accessible only during extended office hours. e) Micro segment Staff VLAN for better security rules implementation. Page 2 of 5 Identity and Access Management 9) Identity and Access Management Completed Aug 2022 a) Enforced enhanced password policy. b) Change Domain Administrators password. c) Randomized server local administrator password. d) Force Domain users to change their password and adhere to the enhanced password policy. e) Forced change of users email password. f) Clean up the AD - retaining only active users and machines and review access control. 10) Implement Multi-Factor Authentication for privileged accounts and high-risk connections. In progress Oct 2022 Endpoint Security 11) Ensure that all active PC and server are installed with Endpoint Detection and Response (EDR) Completed Aug 2022 a) Update all PC/Servers to the latest patch and definition of EDR + AV application. b) Update all PC/Servers with the latest windows update. c) Update/replaced outdated applications and operating system. 12) Upgrade advance EDR + AV application to replace the existing EDR + AV to include advance features such as machine learning and threat hunting. In progress Nov 2022 13) Measures against lateral movements and unauthorised changes. Related measures to reduced potential attack surface for lateral movement via a combination of windows policy and EPP/MDR solutions. Scheduled Nov 2022 Page 3 of 5 a) Remove unnecessary access to administrative shares where applicable and/or restrict admin shares to privileges to only necessary services or user accountsand perform continuous monitoring for anomalous activity using EPP/MDR. b) Ensure that upgraded EDR or have separate host-based firewall to only allow connections to administrative shares via server message block (SMB) for a limited set of administrative machines. c) Enabled protected files in the operating system to prevent unauthorised changes to the critical files. d) Disable Command line and scripting activities and permissions whenever possible and to allow restrictive access to only required machines as fully disabling the features would inhibits legitimate and productive uses of the command lines and scripting. 14) Enhance Cybersecurity Platform to improved security posture by implementing Managed Detection and Response (MDR) Scheduled Nov 2022 a) Using security expert to manage, monitor and respond to threats. b) Provides visibility across assets. c) Provide threat detection and real time prevention of identity based attack. d) Provide continuous, comprehensive visibility to endpoint activity. e) Protect against malware and malware-free threats. f) Managed threat hunting to stops hidden, advanced attacks. Page 4 of 5 Data Security 15) Purge Ex-Staff record in HR Server according to data retention policy. In progress Sep 2022 16) Upgrade existing HRMS that complies with latest Industry standard encryption algorithm. In progress Dec 2022 17) Data minimisation across all data stores. Full backup of personal datasets are done daily. Scheduled Nov 2022 In progress Oct 2022 a) Limit the backup data retention to 31 days and any back up older than 31 days will be purged automatically. People Management 18) End-user Awareness Training a) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. b) Be able to spot email impostor scam (Spoofing) and how to react to it. Page 5 of 5 ",1007 25,f40c4f3d5a16ea9bd2427793dd233ad0feb0cabd,25,Putien Restaurant Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Pu-Tien-Restaurant-Pte-Ltd,2023-03-10,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the ""Organisation"") on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen adminstrator account credentials to enture the Organisation's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 350 employees' personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. Remedial Actions To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage and secure disposal of data and incident response; (b) Implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data backups; (c) Conduct of IT audit reviews on: (i) Computer devices, hardware and software assets to ensure software and operating systems were updated and patched; (ii) User accounts to ensure all rights assigned were necessary; and (d) Conduct of cyber and data protection awareness training for key employees who handle personal data. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act (2012). The undertaking was executed on 28 July 2022 (the ""Undertaking"").  The organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Pu-Tien-Restaurant-Pte-Ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Pu Tien Restaurant Pte Ltd UEN: 200001660W Registered Address: 127 Kitchener Road, Singapore 208514 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) PU TIEN RESTAURANT PTE LTD ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the “Organisation”) on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen administrator account credentials to enter the Organisation’s network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 2. 350 employees’ personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. SCHEDULE B Accountability – Governance, Policies and Procedures S/N Remediation Step Completion Date/ Target Completion Date 1. Appoint a Data Protection Officer Completed in May 2022 2. Develop an IT Security policy comprising Completed in June 2022 • • Secure management of accounts and passwords, user authentication, management of physical access to assets Authorisation process to onboard new hardware and software 3. Develop cyber hygiene practices and guidelines for employees to adopt in their dayto-day operations To be completed by January 2023 4. Develop and implement practices and guidelines on how data is managed securely, including To be completed by Q1 2023 • • • 5. Protection of data Prevention of leakage of data by employees Secure disposal of data Develop and implement practices and guidelines on incident response To be completed by January 2023 Staff Training and Communications S/N Remediation Step Completion Date/ Target Completion Date 1. To be completed by December 2022 Mandate the staff to complete the PDPA Elearning S/N Remediation Step Completion Date/ Target Completion Date 2. Identify and facilitate key personnel to attend PDPC courses (e.g. Fundamentals of the PDPA 2020) To be completed by December 2022 3. Provide cybersecurity awareness training for employees in the organisation, minimally covering these topics: To be completed by January 2023 • • • • • • Protect yourself from phishing Set strong passphrase and protect them Protect your corporate and/or personal devices (used for work) Report cyber incidents Handle and disclose business-critical data carefully Work onsite and telecommute in a secure manner Data Security Practices S/N Remediation Step Completion Date/ Target Completion Date 1. Completed in December 2021 Subscribe to MS365 Premium license and configured with • • • • 2. Microsoft Defender MFA Encryption Appropriate folder permission in SharePoint Install an on-premise server with Hybrid connectivity to cloud servers and to configure access control on • • • • Password policy Network control limitation Windows patches update File transfer encryption To be completed by September 2022 S/N Remediation Step Completion Date/ Target Completion Date 3. Completed in June 2022 Configure data encryption in transit for: • • • 4. Subscribe to TrendMicro Cloud Security with the following configurations: • • • 5. HTTPS secure internal web access SFTP (for POS system file transfer) Change of Port access Completed in May 2022 Daily routine scanning of viruses and malware Network access limitation Daily updates to signature files to detect new malware Subscribe to FortiGate UTM Firewall service with proper configuration of policy and network security. Completed in July 2022 Penetration test to be conducted by November 2022 6. Implement secure configuration for hardware and software assets, including • • • To be completed by Q1 2023 Enforcing security configurations or enabling security features for assets and avoiding or updating weak configuration Replacing or upgrading insecure configurations and weak protocols Turning off features/services that are not used 7. Install Windows Server update service to push critical update to end user devices To be completed by September 2022 8. Subscribe to Acronis Cloud backup and configured with daily incremental backups and weekly full backups To be completed by October 2022 Review S/N Remediation Step Target Completion Date 1. Ensure that the latest software updates installed on devices and systems To be completed by Q1 2023 2. Carry out review and update of: To be completed by November 2022 • • • • Data protection and security policies Configuration settings for hardware and software Use accounts to ensure all accounts are active and the rights assigned are necessary Incident response plan 3. Conduct a refresher on cyber and data protection awareness training for key employees on handling personal data. To be completed by Q1 2023 4. Conduct phishing simulation exercises to train the employees to be alert. To be completed by Q1 2023 5. Conduct table-top exercise to test the cyber and data breach response plan. To be completed by December 2022 6. Audit on sharing of passwords such as admin credentials, displaying post-it notes of password publicly or storing passwords in public web folders. To be completed by November 2022 7. Ensure that regular backups are set up according to the backup policy. Backup media regularly tested to ensure that the backup data can be recovered and restored. To be completed by October 2022 ",1002 50,f90f2588a4ba89ab8471d68f44ec800afd3f1379,25,Putien Restaurant Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-pu-tien-restaurant-pte-ltd,2023-03-10,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the ""Organisation"") on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen adminstrator account credentials to enture the Organisation's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 350 employees' personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. Remedial Actions To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage and secure disposal of data and incident response; (b) Implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data backups; (c) Conduct of IT audit reviews on: (i) Computer devices, hardware and software assets to ensure software and operating systems were updated and patched; (ii) User accounts to ensure all rights assigned were necessary; and (d) Conduct of cyber and data protection awareness training for key employees who handle personal data. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act (2012). The undertaking was executed on 28 July 2022 (the ""Undertaking"").  The organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---pu-tien-restaurant-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Pu Tien Restaurant Pte Ltd UEN: 200001660W Registered Address: 127 Kitchener Road, Singapore 208514 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) PU TIEN RESTAURANT PTE LTD ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the “Organisation”) on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen administrator account credentials to enter the Organisation’s network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 2. 350 employees’ personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. SCHEDULE B Accountability – Governance, Policies and Procedures S/N Remediation Step Completion Date/ Target Completion Date 1. Appoint a Data Protection Officer Completed in May 2022 2. Develop an IT Security policy comprising Completed in June 2022 • • Secure management of accounts and passwords, user authentication, management of physical access to assets Authorisation process to onboard new hardware and software 3. Develop cyber hygiene practices and guidelines for employees to adopt in their dayto-day operations To be completed by January 2023 4. Develop and implement practices and guidelines on how data is managed securely, including To be completed by Q1 2023 • • • 5. Protection of data Prevention of leakage of data by employees Secure disposal of data Develop and implement practices and guidelines on incident response To be completed by January 2023 Staff Training and Communications S/N Remediation Step Completion Date/ Target Completion Date 1. To be completed by December 2022 Mandate the staff to complete the PDPA Elearning S/N Remediation Step Completion Date/ Target Completion Date 2. Identify and facilitate key personnel to attend PDPC courses (e.g. Fundamentals of the PDPA 2020) To be completed by December 2022 3. Provide cybersecurity awareness training for employees in the organisation, minimally covering these topics: To be completed by January 2023 • • • • • • Protect yourself from phishing Set strong passphrase and protect them Protect your corporate and/or personal devices (used for work) Report cyber incidents Handle and disclose business-critical data carefully Work onsite and telecommute in a secure manner Data Security Practices S/N Remediation Step Completion Date/ Target Completion Date 1. Completed in December 2021 Subscribe to MS365 Premium license and configured with • • • • 2. Microsoft Defender MFA Encryption Appropriate folder permission in SharePoint Install an on-premise server with Hybrid connectivity to cloud servers and to configure access control on • • • • Password policy Network control limitation Windows patches update File transfer encryption To be completed by September 2022 S/N Remediation Step Completion Date/ Target Completion Date 3. Completed in June 2022 Configure data encryption in transit for: • • • 4. Subscribe to TrendMicro Cloud Security with the following configurations: • • • 5. HTTPS secure internal web access SFTP (for POS system file transfer) Change of Port access Completed in May 2022 Daily routine scanning of viruses and malware Network access limitation Daily updates to signature files to detect new malware Subscribe to FortiGate UTM Firewall service with proper configuration of policy and network security. Completed in July 2022 Penetration test to be conducted by November 2022 6. Implement secure configuration for hardware and software assets, including • • • To be completed by Q1 2023 Enforcing security configurations or enabling security features for assets and avoiding or updating weak configuration Replacing or upgrading insecure configurations and weak protocols Turning off features/services that are not used 7. Install Windows Server update service to push critical update to end user devices To be completed by September 2022 8. Subscribe to Acronis Cloud backup and configured with daily incremental backups and weekly full backups To be completed by October 2022 Review S/N Remediation Step Target Completion Date 1. Ensure that the latest software updates installed on devices and systems To be completed by Q1 2023 2. Carry out review and update of: To be completed by November 2022 • • • • Data protection and security policies Configuration settings for hardware and software Use accounts to ensure all accounts are active and the rights assigned are necessary Incident response plan 3. Conduct a refresher on cyber and data protection awareness training for key employees on handling personal data. To be completed by Q1 2023 4. Conduct phishing simulation exercises to train the employees to be alert. To be completed by Q1 2023 5. Conduct table-top exercise to test the cyber and data breach response plan. To be completed by December 2022 6. Audit on sharing of passwords such as admin credentials, displaying post-it notes of password publicly or storing passwords in public web folders. To be completed by November 2022 7. Ensure that regular backups are set up according to the backup policy. Backup media regularly tested to ensure that the backup data can be recovered and restored. To be completed by October 2022 ",1007 24,eeb6a763909e0c1b882d1b0cfea40fda149e4731,24,Nippon Express Group,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Nippon-Express-Group,2023-01-13,"Background  The Personal Data Protection Commission (the “Commission”) received data breach notifications on 25 November 2021 from Nippon Express (South Asia & Oceania) Pte Ltd, Nippon Express (Singapore) Pte Ltd, NEX Global Engineering Pte Ltd (“Nippon Express Group”). Nippon Express Group was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by the Nippon Express (South Asia & Oceania) Pte Ltd (“NESO”) and contained not just the personal data of individuals from NESO, but also the personal data of individuals from Nippon Express (Singapore) Pte Ltd and NEX Global Engineering Pte Ltd.  The personal data of 1,077 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, passport numbers, photographs, date of birth, health information and financial information. It was established that Nippon Express Group had: (a) Lack of MFA for administrative and remote access to all systems; and (b) Inadequate security reviews to identify vulnerabilites within its infrastructure. Remedial Actions After the incident, as part of a remediation plan, Nippon Express Group had: (a)  Implemented MFA for all administrative and remote access; (b)  Reviewed Active Directory accounts; (c)  Performed an external and internal vulnerability assessment; (d)  Ensured all software and operating systems updated with patches; (e)  Ensured the usage of strong passwords; (f)  Implemented enterprise-grade anti-virus software; (g)  Implemented 3-2-1 backup rule; and (h)  Remove remote access tools. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Nippon Express Group to improve its personal data protection practices, the Commission accepted an undertaking from Nippon Express Group to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 July 2022 (the “Undertaking”). Nippon Express Group has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that Nippon Express Group has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Nippon-Express-Group.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Nippon Express (Singapore) Pte. Ltd. UEN: 197301583G Registered Address: 5C Toh Guan Road East, Singapore 608828 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 9 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. Page 2 of 9 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Nippon Express (Singapore) Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 9 ACCEPTED by ) ) Name: _______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 9 SCHEDULE A Page 5 of 9 SUMMARY OF FACTS 1. On 14 November 2021, the Organisation was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by Nippon Express (South Asia & Oceania) Pte Ltd and contained not just the personal data of individuals from the Organisation, but also the personal data of individuals from Nippon Express (South Asia & Oceania) Pte Ltd and NEX Global Engineering Pte Ltd. 2. As a result of the attack, the personal data of 1,077 individuals including their name, address, telephone numbers, NRIC numbers, passport numbers, photographs, date of birth, health information and financial information were affected. The breakdown is as follows: Nippon Express (South Asia & Oceania) Pte Ltd Nippon Express (Singapore) Pte Ltd NEX Global Engineering Pte Ltd Total Affected Individuals Number of Affected Individuals 51 159 867 1077 Page 6 of 9 SCHEDULE B S/N Item Status Target Completion Page 7 of 9 (MMM-YY) 1 2 3 Implement Multi-Factor Authentication (""MFA"") Completed for all administrative access and all remote access to all systems. Review Active Directory accounts and delete any Completed accounts that are not directly linked to identified, active employees or necessary service accounts. Revise off-boarding process to include the deactivation of user credentials and permissions. Perform an external and internal Vulnerability In progress Assessment (""VA"") quarterly to identify and remediate vulnerabilities. The VA should include a cloud environment audit. Perform a penetration test (“PT”) annually and when major changes are performed to the network. 4 Ensure all software and operating systems are In progress regularly updated with patches. 5 Ensure all staff use stronger passwords for all In progress work systems. Passwords should: - - Target Completion 1 October 2022. VA to be repeated quarterly. PT to be repeated annually. Oct-22 Sep-22 • 6 Be completely random and contain a mix of letters, digits, and special characters. • Have a length of at least 8 characters for normal users and at least 20 characters for privileged accounts. • Not be reused on other sites. • Be changed regularly. • Be stored and shared using a password manager if required. i. Not be stored in plaintext anywhere else. Implement enterprise-grade anti-virus software Completed with strong anti-tamper and anti-ransomware protection on servers and user endpoints and ensure that said software is kept up to date. - Page 8 of 9 7 Implement the 3-2-1 backup rule: In progress Oct-22 Test the backup recovery process regularly to ensure it works at least once every 3 months. Remove remote access tools that are no longer In progress in use. Use only one standard remote access protocol. Oct-22 • • • 8 Keep 3 backup copies of data Store 2 backup copies on different storage media (Online & Offline) Have 1 of the backup copies located offsite Page 9 of 9 ",1002 49,17b8d1b0bbf3d03a67eeeed27711aac75c112526,24,Nippon Express Group,https://www.pdpc.gov.sg/undertakings/undertaking-by-nippon-express-group,2023-01-13,"Background  The Personal Data Protection Commission (the “Commission”) received data breach notifications on 25 November 2021 from Nippon Express (South Asia & Oceania) Pte Ltd, Nippon Express (Singapore) Pte Ltd, NEX Global Engineering Pte Ltd (“Nippon Express Group”). Nippon Express Group was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by the Nippon Express (South Asia & Oceania) Pte Ltd (“NESO”) and contained not just the personal data of individuals from NESO, but also the personal data of individuals from Nippon Express (Singapore) Pte Ltd and NEX Global Engineering Pte Ltd.  The personal data of 1,077 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, passport numbers, photographs, date of birth, health information and financial information. It was established that Nippon Express Group had: (a) Lack of MFA for administrative and remote access to all systems; and (b) Inadequate security reviews to identify vulnerabilites within its infrastructure. Remedial Actions After the incident, as part of a remediation plan, Nippon Express Group had: (a)  Implemented MFA for all administrative and remote access; (b)  Reviewed Active Directory accounts; (c)  Performed an external and internal vulnerability assessment; (d)  Ensured all software and operating systems updated with patches; (e)  Ensured the usage of strong passwords; (f)  Implemented enterprise-grade anti-virus software; (g)  Implemented 3-2-1 backup rule; and (h)  Remove remote access tools. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Nippon Express Group to improve its personal data protection practices, the Commission accepted an undertaking from Nippon Express Group to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 July 2022 (the “Undertaking”). Nippon Express Group has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that Nippon Express Group has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---nippon-express-group.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Nippon Express (Singapore) Pte. Ltd. UEN: 197301583G Registered Address: 5C Toh Guan Road East, Singapore 608828 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 9 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. Page 2 of 9 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Nippon Express (Singapore) Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 9 ACCEPTED by ) ) Name: _______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 9 SCHEDULE A Page 5 of 9 SUMMARY OF FACTS 1. On 14 November 2021, the Organisation was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by Nippon Express (South Asia & Oceania) Pte Ltd and contained not just the personal data of individuals from the Organisation, but also the personal data of individuals from Nippon Express (South Asia & Oceania) Pte Ltd and NEX Global Engineering Pte Ltd. 2. As a result of the attack, the personal data of 1,077 individuals including their name, address, telephone numbers, NRIC numbers, passport numbers, photographs, date of birth, health information and financial information were affected. The breakdown is as follows: Nippon Express (South Asia & Oceania) Pte Ltd Nippon Express (Singapore) Pte Ltd NEX Global Engineering Pte Ltd Total Affected Individuals Number of Affected Individuals 51 159 867 1077 Page 6 of 9 SCHEDULE B S/N Item Status Target Completion Page 7 of 9 (MMM-YY) 1 2 3 Implement Multi-Factor Authentication (""MFA"") Completed for all administrative access and all remote access to all systems. Review Active Directory accounts and delete any Completed accounts that are not directly linked to identified, active employees or necessary service accounts. Revise off-boarding process to include the deactivation of user credentials and permissions. Perform an external and internal Vulnerability In progress Assessment (""VA"") quarterly to identify and remediate vulnerabilities. The VA should include a cloud environment audit. Perform a penetration test (“PT”) annually and when major changes are performed to the network. 4 Ensure all software and operating systems are In progress regularly updated with patches. 5 Ensure all staff use stronger passwords for all In progress work systems. Passwords should: - - Target Completion 1 October 2022. VA to be repeated quarterly. PT to be repeated annually. Oct-22 Sep-22 • 6 Be completely random and contain a mix of letters, digits, and special characters. • Have a length of at least 8 characters for normal users and at least 20 characters for privileged accounts. • Not be reused on other sites. • Be changed regularly. • Be stored and shared using a password manager if required. i. Not be stored in plaintext anywhere else. Implement enterprise-grade anti-virus software Completed with strong anti-tamper and anti-ransomware protection on servers and user endpoints and ensure that said software is kept up to date. - Page 8 of 9 7 Implement the 3-2-1 backup rule: In progress Oct-22 Test the backup recovery process regularly to ensure it works at least once every 3 months. Remove remote access tools that are no longer In progress in use. Use only one standard remote access protocol. Oct-22 • • • 8 Keep 3 backup copies of data Store 2 backup copies on different storage media (Online & Offline) Have 1 of the backup copies located offsite Page 9 of 9 ",1007 23,d7f029af024af1727de23ccae3615f3a73010c99,23,Murata Machinery Singapore Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Murata-Machinery-Singapore-Pte-Ltd,2022-11-18,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 1 April 2022 from Murata Machinery Singapore Pte Ltd (“Organisation”) regarding a ransomware attack on its back-end servers on 31 May 2022, causing personal data stored within to be encrypted. The personal data of 200 individuals affected included names, addresses, email addresses, contact numbers, NRIC/FIN and passport numbers, date of birth, salary and bank account numbers. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Replaced existing firewall and VPN client with more complete security features; (b) Implemented MFA before re-allowing use of VPN access into its server and a lockout threshold of 5 failed attempts for the VPN clients’ logins as an added security; (c) Restricted Remote Desktop Protocol (“RDP”) as a default setting to disallow remote access to its backend servers on regular days and only allowed RDP for planned maintenance tasks; (d) Implemented automated offline backups of the contents of the server in the form of a tape drive; (e) Implemented regular manual data backup to encrypted hard disks that will be kept under lock and key; (f) Deployed suitable encryption software to encrypt server directories containing personal data; (g) Periodically off-load low use personal data to an encrypted external hard disk ti be kept under lock and key offline; (h) Engaged vendor to regularly update and maintain its firewall, VPN client, to monitor traffic of its IT network for illegal access and to fulfill the following: i. Conduct regular audit to computer devices to ensure software and OS updated and patched; ii. Conduct regular review and audit to domain user accounts and computer devices to cleanup unused accounts; iii. Implemented local administrator password solution for domain user computer devices; and iv. Enforced server message block signing to encrypt traffic between domain user computer devices and backend servers. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 22 August 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---murata-machinery-singapore-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: MURATA MACHINERY SINGAPORE PTE LTD UEN: 198800649D Registered Address: 69 Ubi Crescent #06-01, CES Building Singapore 408561 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) MURATA MACHINERY SINGAPORE PTE LTD ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 1 April 2022, the PDPC was informed that the Organisation had suffered from a ransomware attack on its back-end servers on 31 May 2022, causing personal data stored within to be encrypted. 2. The personal data of 220 individuals affected included their names, addresses, email addresses, contact numbers, NRIC/FIN and passport numbers, date of birth, salary and bank account numbers. 3. To prevent a recurrence, the Organisation took immediate remedial action to address the cause of the personal data breach. SCHEDULE B REMEDIATION PLAN S/N Key Weaknesses 1 Lack of regular updates to the firmware of its firewall and VPN client 2 Usage of VPN client without multi-factor authentication (“MFA”) Remedial Actions/Measures a. Replace existing firewall and VPN client with more complete security features b. Engage vendor to regularly update and maintain its firewall and VPN client a. Implement MFA before re-allowing use of VPN access into its server. The MFA will either be a virtual token tied to the end-user’s mobile phone, or an email passcode sent to the company’s email address b. Implement a lockout threshold of 5 failed attempts for the VPN clients’ logins as an added security 3 4 By 1 August 2022 By 30 September 2022 Once VPN use is restored Lack of regular monitoring of the IT network to detect any illegal access a. Engaging vendor to monitor traffic of its IT network for illegal access. By 1 August 2022 b. Plan to restrict Remote Desktop Protocol (RDP) as a default setting to disallow remote access to its backend servers on regular days; and only allowed RDP for planned maintenance tasks By 1 July 2022 Insufficient offline backups for contents hosted on the server a. Implement automated offline backups of the contents of the server in the form of a tape drive b. Implement regular manual data backup to encrypted hard disks that will be kept under lock and key. 5 Completion Date By 30 September 2022 Lack of proper encryption implementation on files on the servers a. Source for suitable encryption software to encrypt server directories containing personal data By 30 September 2022 By 30 September 2022 6 Storage of Personal data with low frequency of use on servers a. Periodically off-load low use personal data to an encrypted external hard disk to be kept under lock and key offline By 1 July 2022 7 Additional actions towards existing IT security measures a. Engage external vendor to fulfil the following: By 1 August 2022 i. ii. iii. iv. Conduct regular audit to its computer devices to ensure essential software and OS updates and patches are properly installed. Conduct regular review and audit to the domain user accounts and computer devises to cleanup unused accounts. Implement local administrator password solution for domain user computer devices. Enforce server message block signing to encrypt traffic between domain user computer devises and backend servers ",1007 20,89521865a019db28d43debbcbc497fcf4fa9a27e,20,"“K” Line Pte Ltd, ""K"" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd",https://www.pdpc.gov.sg/undertakings/undertaking-by-k-line-pte-ltd-k-line-ship-management-singapore-pte-ltd-and-k-line-singapore-pte-ltd,2022-08-11,"Background  On 3 April 2021, “K” Line Pte Ltd, ""K"" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd (the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) that they had been subjected to malware attacks. These three related Organisations are Singapore registered subsidiaries of Kawasaki Kisen Kaisha Ltd, a foreign registered holding company. On 18 March 2021, the Organisations were informed of a cyber incident by an overseas affiliate, also a subsidiary of Kawasaki Kisen Kaisha Ltd. An account belonging to the affiliate, which had high privilege and access rights was compromised in the incident. The compromised account was then used to launch malware attacks on the Organisations’ IT environment in Singapore. In total, the personal data of about 2,148 individuals, which included the current and ex-employees and scholarship applicants, from these three Organisations was affected. The personal data included the name, address, NRIC number, passport number, nationality, photograph, family details, medical information and bank account number. Remedial Actions After the incident, as part of a remediation plan, the Organisations: (a) Reinforced the use of built-in password protection capability for sensitive documents and use of desktop encryption tool by all staff. The Organisations also supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (b) Reviewed the Access Control List for network traffic between the Organisations and their affiliates; (c) Reviewed the administrative rights and access of the servers between the Organisations and their affiliates; (d) Changed their password policy settings and a global exercise to update all users and system account credential; (e) Employed cybersecurity analyst to perform Security alerts triage and IT security projects; (f) Implemented 2FA for servers remote access; (g) Implemented 2FA for remote access by user via Virtual Private Network (VPN); (h) Conducted a threat analysis of the Organisation group companies’ active directory, servers and client PCs that are connected to the Organisation’s network; (i) Deployed threat detection tools; (j) Implemented an e-Learning program; (k) Established a service agreement with a security vendor for 24/7 Managed, Detect & Response (MDR); (l) Implemented vulnerability testing on IT systems to be conducted by a security vendor; (m) Implemented system hardening and USB enforcement; (n) Implemented encryption solution to protect its database and file system; (o) Expanded firewall capability to perform scanning on encrypted network packet, mitigate potential malicious payload hiding under HTTPS encrypted traffic; and (p) Engaged external consultant to provide cybersecurity awareness campaign to increase general workforce awareness and knowledge to handle cyber risks. Undertaking  Having considered the circumstances of the case, including the comprehensive remedial steps taken by the Organisations to improve their data protection practices, the Commission accepted an undertaking from the Organisations to improve their compliance with the Personal Data Protection Act 2012. The undertakings were executed on 8 September 2021 (the “Undertakings”). The Organisations have since updated the Commission that they have completed the implementation of their remediation plan. The Commission has reviewed the matter and determined that the Organisations have complied with the terms of the Undertakings. Please click here, here and here to view the Undertakings.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-k-line-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: UEN: 199902703D Registered Address: 1 Wallich Street #07-01 Guoco Tower Singapore 078881 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of duly executed Undertaking. 5. 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 2 5.3 powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking Undertaking, is intended to, or shall, fetter or constrain the and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) 3 ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A 5 SUMMARY OF FACTS 1. On 18 March 2021, the Organisation was informed of a cyber incident involving an overseas affiliate. An account belonging to the affiliate which had high privilege and access rights was compromised in the incident. The compromised account was then used to lau environment in Singapore. 2. As a result of the attacks, the personal data of 1,564 individuals held by the Organisation and of another 332 individuals which the Organisation was processing on behalf of another affiliate was affected. The personal data includes their name, address, NRIC number, passport number, nationality, photograph, family details, medical information, bank account number, and details of lawyers and defendants related to investigation/ proceedings. 6 SCHEDULE B 7 TECHNICAL REMEDIATION PLAN COMPLETED Remediation actions to be undertaken Reinforcing the use of built-in password protection capability for sensitive documents and use of desktop encryption tool by all staff. Review of the Access Control List for network traffic between the Organisation and its affiliates. Date on which such actions were taken and completion date Start Date: 7th April 2021 Completion Date: 9th April 2021 Start Date: 21st March 2021 Completion Date: 22nd March 2021 Review of administrative rights and access of the servers between the Organisation and its affiliates. Start Date: 25th March 2021 Global Account management for all Active Directory Domains in Organisation Group Companies; Start Date: 30th April 2021 Completion Date: 9th April 2021 Change in Password policy settings and a global exercise to update all users and system account credential. Employment of cybersecurity analyst to perform Security alerts triage, IT security projects. Completion Date: 12th May 2021 for Singapore User account 22nd May 2021 for Singapore Service accounts Start Date: 9th February 2021 Completion Date: 3rd June 2021 (contract of employment signed off) Joining onboard 1st July 2021 2FA implementation for Servers Remote access. Completion Date: 31st July 2021 2FA implementation for Remote access by User via Virtual Private Network (VPN) connection. Completion Date: 21st July 2021 Microsoft Cyber Incident Response service led Completion Date: 27th July 2021 - a. Conduct a threat analysis of the Organisation client PCs that are connected to the b deployed throughout Organisation group 8 Global Cyber E-Learning Program by the Completion Date: 5th August 2021 IN PROGRESS Remediation actions to be undertaken Established a possible service agreement with Security vendors for 24/7 Managed, Detect & Response (MDR). Dates on which such actions were taken/ are targeted to be taken Planned to go into production: October 2021 Vulnerability testing on IT systems by Security vendor. Planned: September 2021 System Hardening. USB Enforcement. Planned: September 2021 October 2021 Planned: September October 2021 Encryption Solution to protect Database and File System. Planned to go into production: End December 2021 Expand Firewall capability to perform scanning on encrypted network packet, mitigate potential malicious payload hiding under HTTPS encrypted traffics. Planned to production: October 2021 Engagement of External Consultant to provide cybersecurity Awareness campaign to increase general workforce awareness, knowledge to handle Cyber risks. Planned to start: August 2021 9 POLICIES/ PROCESSES REMEDIATION PLAN COMPLETED Remediation actions to be undertaken Engagement of external consultant to take on the appointment of the Data Protection Officer and to review and oversee the internal policies/processes of the Organisation relating to personal data. IN PROGRESS Remediation actions to be undertaken A review and update of the internal policies/ processes of the Organisation relating to the personal data, which include but are not limited to ensuring the proper documentation of the processes and retention policies and enhancing training for all staff on the data protection obligations. Follow up audit on the new processes. Date on which such actions were taken and completion date Completed on 24th June 2021 Commencement Date/ Completion Date In progress of review. Estimated Completion Date: 30st September 2021 By 31st December 2021 10 ",1007 21,3b6031c255fe17dc08c3d6aa9abe1619103bed59,21,Inmagine Lab Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Inmagine%20Lab%20Pte%20Ltd,2022-08-11,"Background  The Personal Data Protection Commission (the “Commission”) received two data breach notifications on 13 November 2020 and 26 January 2021 from Inmagine Lab Pte Ltd (“Organisation”) regarding unauthorised access to two of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated. The datasets affected included the names, addresses, email addresses and phone numbers. It was established that the Organisation (a) lacked sufficiently robust security assessment policy, log retention policy and asset management processes, (b) had no intrusion detection or prevention systems in place and (c) operated on an outdated operating system. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Developed a vulnerability assessment policy; (b) Developed an incident response plan; (c) Reviewed its log retention policy; (d) Created an asset list for the tracking of an inventory of its systems; (e) Implemented intrusion, detection and prevention systems; (f) Reviewed, compiled and updated all its systems to the latest operating system; and (g) Adopted additional security such as two-factor authentication (“2FA”). Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking on 23 March 2022 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking provided that the Organisation was to complete the implementation of its remediation plan. This included the development of various policies and implementation of the intrusion, detection and prevention systems. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---inmagine-lab-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Inmagine Lab Pte Ltd. UEN: 201532639M Registered Address: 11 Collyer Quay #17-00, The Arcade, Singapore 049317 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the (c) 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the 2 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. 3 SIGNED, for and on behalf of ) Inmagine Lab Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A SUMMARY OF FACTS 1. On 13 November 2020 and 26 January 2021, PDPC received 2 data breach notifications from the Organisation regarding unauthorised access to 2 of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated and was offered for sale on Raidforums (the “Incident”). 2. The name, address, email address, phone number, user ID and hash of password, IP address of first and last login, GeoIP state and country of approximately 6,769,184 individuals was affected as a result of the Incident. 5 SCHEDULE B REMEDIATION PLAN No. Gaps Identified Remediation Plan Target Completion (Date) 1. Inmagine Lab Pte. Ltd. (“ILPL”) did not conduct any security review or audit of the said websites prior to the acquisition. Although the same security and developer teams remained responsible for the websites before and after the acquisition, ILPL failed to ascertain the websites’ security prior to the acquisition. ILPL will draft a Vulnerability Assessment Policy and will abide by it. 5th January 2022 (Completed) ILPL did not have any intrusion detection or prevention detection systems (“IDS/IPS”) in place. ILPL will require log planning to implement any IDS system. 2. The Vulnerability Assessment Policy will outline when and how ILPL’s employees may conduct certain types of security testing, including but not limited to vulnerability, penetration test, tests involving data scraping tools as well as audit prior to the acquisition/transfer of websites. June 2022 (On-going) ILPL will look into its current assets/system and identify locations to implement. Also, ILPL will research on available IDS/IPS in order to implement and integrate IDS/IPS into the system through 4 stages: I. Planning; II. Research; III. Implementation; and IV. Testing and monitoring. 3. The log retention policy of the previous owner of the websites, 123RF Limited, was that it only retained logs for a month or less. This was not advisable as these logs could have provided valuable leads in any data breach ILPL will review its current logging locations and strategies as well as look into available logs. ILPL will try out logging solutions in order to pick the best fit that would fit the organization. 6 June 2022 (On-going) investigation. However, ILPL did not review the log retention policy of 123RF Limited. Upon research, ILPL will implement the selected logging solution and revise its log retention policy. Even though some of the system OS had reached their end-of-life, ILPL had failed to update the system OS to the latest versions available. ILPL will review and compile all current assets with outdated or end-of-life OS versions. ILPL did not have a security assessment policy in place to define the frequency and type of testing or scanning of the websites for vulnerabilities, threats or breaches. A thoughtful review of the threat environment, current and future risks, and the value of the targeted environment, would greatly reduce the risks of security breaches. ILPL will draft a Vulnerability Assessment Policy and Incident Response Plan. 6. ILPL did not have in place a systematic asset management process where it maintains an inventory of its assets. ILPL will create an asset list that is confidential in nature to keep track of the inventory of its systems, and the asset list will be updated on a regular basis when there are new updates, as well as implementing a periodic review once every quarter to make sure that the asset list is always accurate and up to date. 31st January 2022 (Completed) 7. ILPL should have adopted additional security measures, encrypting the database backup files, or whitelisting the IP addresses that have access to the database. ILPL will adopt additional security measures such as 2FA [redacted for confidentiality]. For its database, access is always restricted, and only certain IP addresses are granted access to the database. [redacted for confidentiality]. 31st January 2022 (Completed) 4. 5. June 2022 (On-going) Once all current assets with outdated or end-of-life OS versions are found, ILPL will identify the latest supported OS versions/software versions that should be updated to through 3 stages: I. Planning; II. Research; and III. Implementation and Testing. 5th January 2022 (Completed) The Incident Response Plan will outline the plan for responding to information security incidents containing the following information: I. Scope; II. Incident Response Methodology; III. Incident Response Phases; IV. Guidelines for the Incident Response Process; and V. Documentation, Tracking and Reporting. 7 8 ",1007 22,57a6b3c163db1a11cff689cc16cabe4a6eae06cd,22,The National University of Singapore Society,https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20The%20National%20University%20of%20Singapore%20Society,2022-08-11,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 8 October 2021 from The National University of Singapore Society (“NUSS”). NUSS stated that its website had been subjected to a SQL injection attack sometime between 6 and 7 October 2021. The personal data of 3,725 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, gender, date of birth, membership number, marital status, education details and motor vehicle registration number. It was established that NUSS had (a) inadequate knowledge of the web server hosting its website, (b) inadequate security reviews to identify vulnerabilities within its website, (c) lack of clauses within its contract with its vendors to ensure compliance with the PDPA and (d) there had been an overreliance on its IT vendor to maintain the security of the web server hosting its website. Remedial Actions After the incident, as part of a remediation plan, NUSS had: (a) Ensured that no personal data was stored at its web server; (b) Fixed all vulnerabilities identified in its forensics report; (c) Conducted a penetration test; (d) Established checklists, procedures and templates for 3rd party vendors; (e) Migrated its website to a virtual private server; and (f) Revamped its website. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by NUSS to improve its personal data protection practices, the Commission accepted an undertaking from NUSS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 December 2021 (the “Undertaking”). NUSS has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that NUSS has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---the-national-university-of-singapore-society.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: The National University of Singapore Society UEN: S61SS0139H Registered Address: Kent Ridge Guild House, 9 Kent Ridge Drive, #01-00 Singapore 119241 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX , and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) The National University of Singapore Society ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: _____Yeong Zee Kin______________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 8 October 2021, the Organisation was made aware by its IT Security Department that records of members of The National University of Singapore Society (“NUSS”) were put on sale in an internet forum. 2. NUSS identified that a threat actor had conducted an SQL Injection attack on its website and was able to download all the data contained in 51 data tables. As a result of the attack, the personal data of the Organisation’s approximately 3,725 individuals including their name, NRIC numbers, membership number, marital status, gender, date of birth, nationality, email address, telephone numbers, address, education details, motor vehicle registration details were affected. SCHEDULE B S/N Item Status Target Date of Completion (Month-Year) 1 Ensure no personal data is stored at the webserver end Completed Oct 2021 2 Fix all vulnerabilities as identified in Group-IB’s report In Progress Target to complete by 30 Nov 2021 3 Another penetration test after all vulnerabilities fixed In Progress Target to complete by Q1 2022 4 Ensure all 3rd party vendors have In Progress Target to complete by Q1 2022 a. Compliance to the PDPA b. Proper data protection clauses in contract c. SOPs for handling NUSS personal data 5 Migrate web site from the current share hosting server to a Virtual Private Server (VPS), so that more security set up can be done to the server itself In Progress Target to complete by Q2 2022 6 Revamp the website to adhere to the Open Web Application Security Project (OWASP) guidelines. In Progress Target to complete by Q2 2022 7 Periodic Penetration Test Periodic Periodic ",1007 18,becfe1dac1474b98c6f462c97e0a768bdb5078ee,18,HSL Constructor Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20HSL%20Constructor%20Pte%20Ltd,2022-07-14,"Background  The Personal Data Protection Commission (the “Commission”) was notified by HSL Constructor Pte Ltd (“HSL”) on 7 October 2021 that it was subject to ransomware attack on 30 September 2021. As a result of the attack, 3 of its servers and a Network Attached Storage (“NAS”) were encrypted by ransomware. Personal data of 758 current and former HSL employees were encrypted. The personal data included their name, NRIC number, residential address, email address, family information, salary information and medical information. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to HSL’s network by exploiting the vulnerabilities present in the outdated software used on 2 of its servers, or using compromised credentials. Remedial Actions After the incident, as part of a remediation plan, HSL: (a) Implemented multifactor authentication for all administrator access, for users with administrative privileges, and for accounts with access to sensitive data/ systems; (b) Supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (c) Decommissioned all servers running Windows Server 2008 R2 and below; (d) Installed endpoint protection on all servers; (e) Patched all servers and firewall; (f) Reset all admin account passwords; and (g) Closed unused ports on its firewall. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by HSL to improve its data protection practices, the Commission accepted an undertaking from HSL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2022 (the “Undertaking”). HSL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that HSL has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---hsl-constructor-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: HSL Constructor Pte Ltd UEN: 199405996K Registered Address: 42D Penjuru Road, HSL Waterfront @ Penjuru, Singapore 609162 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA and ; (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of duly executed Undertaking. 5. 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 2 5.4 Nothing in this Undertaking Undertaking, is intended to, or shall, fetter or constrain the and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) HSL Constructor Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 3 SCHEDULE A 4 SUMMARY OF FACTS 1. On 30 September 2021, the Organisation was subject to a ransomware attack in which 3 of its servers and a Network Attached Storage (NAS) were encrypted. exploiting the vulnerabilities in the outdated server software used on 2 of its server, or through the use of compromised credentials. 2. 758 current and former employees were encrypted by ransomware. The personal data including their name, NRIC number, residential address, email address, family information, salary information and medical information. There was no evidence of exfiltration of data. 5 SCHEDULE B 6 7 8 ",1007 19,b396fef31460c4e600fc74facebb3a9f82f8eeaa,19,Asia Petworld Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Asia%20Petworld%20Pte%20Ltd,2022-07-14,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Asia Petworld Pte. Ltd. (“APPL”) on 8 September 2021 that its systems had been subjected to unauthorized access. The threat actor(s) had deleted APPL’s servers, including its backup servers and backup data, made mass PayPal payments and Airwallex bank transfers from the personal accounts belonging to APPL’s senior management, and potentially accessed employee payroll sheets in an email account belonging to APPL’s senior management. Personal data of about 21,000 customers was potentially disclosed. The personal data affected included their names, addresses, telephone numbers and email addresses. In addition, the personal data of 60 employees was also affected. The personal data included their names, dates of birth, NRIC number/FIN, bank account numbers and salaries credited. The Commission noted that APPL has since recovered the data via backup, as of 12 July 2021. It was established that APPL did not have adequate processes in place to protect the personal data in its possession. Remedial Actions After the incident, as part of a remediation plan, APPL: (a) reformatted each PC and desktop in its warehouse and office and installed a clean Windows 10 environment; (b) reset all Windows passwords and implemented a password length of at least 20 character long with complex requirements. Users were also reminded not to store passwords in plain text. Further, APPL also applied a password on documents containing personal data when transmitted over the internet; (c) enabled 2FA on all available applications and services; (d) implemented staff training to enhance knowledge in personal data, safety and cyber security knowledge; and (e) hardened system access including enhancing access controls, performing regular patching etc. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by APPL to improve its data protection practices, the Commission accepted an undertaking from APPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2022 (the “Undertaking”). The Undertaking provided that APPL has to move key applications to another platform for improved security. APPL also had to implement a new web-based system which supports 2FA to ensure a more secure server environment. APPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that APPL has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-asia-petworld-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Asia Petworld Pte. Ltd. UEN: 201409741H Registered Address: 2 Woodlands Sector 1, #03-18, Woodlands Spectrum, Singapore 738068 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Asia Petworld Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 8 September 2021, the PDPC received a data breach notification from the Organisation concerning an unauthorised access to its systems (the “Incident”). The threat actor had, amongst others, deleted the Organisation’s servers, including its backup servers and backup data. Consequently, the personal data of up to 21,060 individuals, including the Organisation’s retail customers, former and current employees, were at risk of being accessed and subject to exfiltration. 2. The affected personal data comprised the name, address, telephone number and email address for the retail customers. As for the employees, the affected personal data consisted of name, date of birth, NRIC number or FIN, bank account number and amount(s) paid to them. 3. The Organisation did not receive any feedback from both the retail customers and the employees on this Incident on any actual financial loss and/or mis-use of the affected personal data. It had also taken steps to contain the Incident and put in place measures to prevent recurrence. SCHEDULE B REMEDIATION PLAN S/N Potential Risk Factors/Improvement Areas Remedial Actions/Measures Completion Date 1 Suspected malware / infected PCs / desktops in the warehouse and office Reformat of every PC / desktop in the warehouse and office, and installed a clean Windows 10 environment, to ensure removal of all infected environment or PCs end Aug 2021 2 PCs / Desktops were infected with malwares, and unauthorised access from the networks Deployed BitDefender [redacted for confidentiality] Security Suite on every PC / Desktop and servers, to further protect the PCs / Desktops / Servers 2nd week Aug 2021 3 Easily hacked passwords on PCs / Windows Login Compulsory reset of all users' / 1st week windows' passwords, and the Aug need for all user password to be at 2021 least 20 characters long, with compulsory complexity requirements for passwords to include symbols, numbers, caps, and non-sequential or non-wordlike passwords. Mandatory change passwords every 60 days. Do not store password in plain text anywhere in the computer / network. 4 Apply security password on documents with personal data such as payroll worksheet when transmitted over the internet. User / Windows accounts Enable 2FA on all available applications and services, to might have been 2nd week Aug accessed without the users' knowledge ensure that only authorised users are accessing the services assigned to them 2021 5 As we have employees across the region, and the need for smooth access of the ERP application for these users Implement [redacted for confidentiality] web remote access users with 2FA - this is to ensure that only the authorised users are able to access their application securely without worry of their applications being accessed by unauthorised users 2nd week Sep 2021 6 The need to have more secure server environment Moving of key applications to [redacted for confidentiality] Web Service for improved security. Implementing a new web based system which also supports 2FA and users won't have to connect to our network. So the network will be completely isolated for staff as they can work directly from the browser to access the ERP system. 1st week Feb 2022. New ERP is in the testing phase 7 Suspected less secure firewall at APPL network Hardening the Firewall security settings at the router level by Allowing only ip's from our staff to access the network and only ports opened are those which are required for the systems to work and connect 1st week Aug 2021 8 Suspected unauthorised access remotely by intruders after office hours Suspected intruders were aware of all the user accounts in APPL Requested all users to shut down all PCs / desktops / workstations at the end of business day end Aug 2021 Delete all domain users account and recreate new user IDs, as we need to ensure that the intruders are unable to access these user accounts remotely 2nd week Sep 2021 Suspected malwares were injected into the network through Locked down all USB ports to prevent use of USB ports 1st week Aug 2021 9 10 unauthorised plug-ins of mobile phones or USB drives into PCs/desktops 11 Gaps in knowledge on computing and safe use of emails, and proper use of authentication software Additional staff training for use of internet things. Moved email system to cloud based system [redacted for confidentiality] with 2FA enabled on it. Sept 30, 2021 12 HR awareness training in personal data, safety and cyber security knowledge Scheduled monthly training and updates on 3rd week of each month October 31, 2021 13 Strengthen incident response plan, to have tabletop exercise regularly, SOPs on data management and IT management Appointed [redacted for confidentiality] to be the person in charge to ensure all personnel adhere to APPL SOPs for data and IT management: 1) Login to Windows as domain user 2) Check for Windows Update 3) Login to ERP Software 4) Login to Email on Cloud 5) Check to ensure BitDefender is up-to-date 6) At the end of business day, logoff from ERP, Cloud Email, and shut down Windows October 31, 2021 14 Hardening of system access Enhance systems access controls October 31, and hardening of systems 2021 (Regular patching, Logs management, Backup process and restoration, etc.) and segregation of duties, tightening privileged accesses and controls ",1007 17,80437a3e17d245bc9ad7e5ce32d0eae6013a26b8,17,Singhealth Polyclinics,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-SingHealth-Polyclinics,2022-06-16,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits.  It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications.  Remedial Actions After the incident, as part of a remediation plan, SHP: (a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information;  (b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and  (c) rolled out additional processes to reduce the risk of loss of hardcopy documents.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”).  The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications.  In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies. SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Singhealth-Polyclinics-2022.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SingHealth Polyclinics UEN: 52928775K Registered Address: 167 Jalan Bukit Merah #15-10 Connection One, Singapore 150167 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 7 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 7 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) SingHealth Polyclinics ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 7 ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 7 SCHEDULE A SUMMARY OF FACTS 1. On 31 May 2021, the Organisation’s website notified the Commission that its courier service provider, Vroom Vroom Office Services (“Vroom”), had lost a package on 21 April 2021. The lost package, intended to be delivered to a bank on, contained GIRO application forms submitted to the Organisation for processing. 2. The Organisation did not discover the loss promptly due to inadequate processes to confirm completion of package deliveries with its courier service provider. The incident was only discovered 3 weeks when the Organisation checked with the bank on the status of the GIRO applications. 3. As a result of the loss of the package, the personal data of the Organisation’s 87 individuals including their name, telephone number, NRIC number, bank account number and transaction payment limits were compromised. Page 5 of 7 SCHEDULE B 1 Causes of Incident Remediation Plan SHP does not require any explicit confirmation for successful deliveries of all packages. A process review had been conducted and with effect from 30 June 2021, all packages with confidential information (including personal data) will require the use of [type of courier companies redacted for confidentiality] courier companies that utilise an online tracking system. Approved courier companies would have entered into Master Agreements for the delivery of the relevant courier services, which would include relevant obligations on the service provider to comply with personal data protection obligations. All SHP departmental representatives were briefed on the new workflow with a walkthrough of the online tracking system used by the approved courier companies. The confirmation of delivery will be almost in real time where SHP users can determine the delivery status of the dispatched packages online. The incident was also shared with all SHP departments and their PDPA coordinators for awareness and learning. 2 Vroom’s internal verification process was not robust as they implemented manual tracking of consignment notes. The window for the discovery of lost parcels was also too long, with SHP only receiving confirmation three (3) weeks after the incident. Target Completion Process review completed as of 30 June 2021. Use of [type of courier companies redacted for confidentiality] courier companies that utilise an online tracking system – ongoing. Post-review follow-up session with SHP departmental representatives on courier companies scheduled for September 2021. Completed as of 1 July 2021. SHP has rolled out [business process redacted for confidentiality] at its clinics, which eliminates the need to courier patients’ or their next-of-kin’s [type of document redacted for confidentiality], thereby removing the risk of such loss. In this regard, it will not be necessary to engage courier companies to deliver parcels with personal data. SHP has plans to roll out [business process redacted for confidentiality] at all clinics. This can further reduce the risk of losing the hardcopy documents during transmission. Completed as of 31 May 2021. In situations where [business process redacted for confidentiality] is inapplicable, SHP will engage courier companies with a more robust verification process for the delivery of parcels that contain personal data. Process review completed as of 30 June 2021. Ongoing – by end 1st half of 2022. Use of [type of courier companies redacted for Page 6 of 7 As stated in Item (1) above, SHP will only engage [type of courier companies redacted for confidentiality] courier companies that implement an electronic / online tracking system that allows for an almost real-time status update for the confirmation of package deliveries on the same day. To enhance the follow-up confirmation process, SHP worked with [name of financial institution redacted for confidentiality] such that [name of financial institution redacted for confidentiality] has to provide written acknowledgement of receipt of any SHP parcel within the next working day. confidentiality] courier companies that utilise an online tracking system – ongoing. Post-review follow-up session with SHP departmental representatives on courier companies scheduled for September 2021. Completed as of 11 June 2021. Page 7 of 7 ",1002 48,2bfeb2312fd987b168d3f5324b77051f62a3918f,17,Singhealth Polyclinics,https://www.pdpc.gov.sg/undertakings/undertaking-by-singhealth-polyclinics,2022-06-16,"Background  The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits.  It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications.  Remedial Actions After the incident, as part of a remediation plan, SHP: (a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information;  (b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and  (c) rolled out additional processes to reduce the risk of loss of hardcopy documents.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”).  The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications.  In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies. SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-singhealth-polyclinics-2022.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SingHealth Polyclinics UEN: 52928775K Registered Address: 167 Jalan Bukit Merah #15-10 Connection One, Singapore 150167 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 7 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 7 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) SingHealth Polyclinics ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 7 ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 7 SCHEDULE A SUMMARY OF FACTS 1. On 31 May 2021, the Organisation’s website notified the Commission that its courier service provider, Vroom Vroom Office Services (“Vroom”), had lost a package on 21 April 2021. The lost package, intended to be delivered to a bank on, contained GIRO application forms submitted to the Organisation for processing. 2. The Organisation did not discover the loss promptly due to inadequate processes to confirm completion of package deliveries with its courier service provider. The incident was only discovered 3 weeks when the Organisation checked with the bank on the status of the GIRO applications. 3. As a result of the loss of the package, the personal data of the Organisation’s 87 individuals including their name, telephone number, NRIC number, bank account number and transaction payment limits were compromised. Page 5 of 7 SCHEDULE B 1 Causes of Incident Remediation Plan SHP does not require any explicit confirmation for successful deliveries of all packages. A process review had been conducted and with effect from 30 June 2021, all packages with confidential information (including personal data) will require the use of [type of courier companies redacted for confidentiality] courier companies that utilise an online tracking system. Approved courier companies would have entered into Master Agreements for the delivery of the relevant courier services, which would include relevant obligations on the service provider to comply with personal data protection obligations. All SHP departmental representatives were briefed on the new workflow with a walkthrough of the online tracking system used by the approved courier companies. The confirmation of delivery will be almost in real time where SHP users can determine the delivery status of the dispatched packages online. The incident was also shared with all SHP departments and their PDPA coordinators for awareness and learning. 2 Vroom’s internal verification process was not robust as they implemented manual tracking of consignment notes. The window for the discovery of lost parcels was also too long, with SHP only receiving confirmation three (3) weeks after the incident. Target Completion Process review completed as of 30 June 2021. Use of [type of courier companies redacted for confidentiality] courier companies that utilise an online tracking system – ongoing. Post-review follow-up session with SHP departmental representatives on courier companies scheduled for September 2021. Completed as of 1 July 2021. SHP has rolled out [business process redacted for confidentiality] at its clinics, which eliminates the need to courier patients’ or their next-of-kin’s [type of document redacted for confidentiality], thereby removing the risk of such loss. In this regard, it will not be necessary to engage courier companies to deliver parcels with personal data. SHP has plans to roll out [business process redacted for confidentiality] at all clinics. This can further reduce the risk of losing the hardcopy documents during transmission. Completed as of 31 May 2021. In situations where [business process redacted for confidentiality] is inapplicable, SHP will engage courier companies with a more robust verification process for the delivery of parcels that contain personal data. Process review completed as of 30 June 2021. Ongoing – by end 1st half of 2022. Use of [type of courier companies redacted for Page 6 of 7 As stated in Item (1) above, SHP will only engage [type of courier companies redacted for confidentiality] courier companies that implement an electronic / online tracking system that allows for an almost real-time status update for the confirmation of package deliveries on the same day. To enhance the follow-up confirmation process, SHP worked with [name of financial institution redacted for confidentiality] such that [name of financial institution redacted for confidentiality] has to provide written acknowledgement of receipt of any SHP parcel within the next working day. confidentiality] courier companies that utilise an online tracking system – ongoing. Post-review follow-up session with SHP departmental representatives on courier companies scheduled for September 2021. Completed as of 11 June 2021. Page 7 of 7 ",1007 16,8e72b402c98689e46331d2efbd360f419c6f6cdd,16,Jade E-Services Singapore Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Jade%20E-Services%20Singapore%20Pte%20Ltd,2022-04-21,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 September 2021 from Jade E-Services Singapore Pte. Ltd. (“Organisation”) following an incident where a marketing email was wrongly sent, as a result of an employee’s lapse. The marketing email was sent to the email addresses belonging to 456,868 individuals who had withdrew their consent to receive such marketing emails. The recipients included 165 individuals who had previously requested for their account to be terminated. It was established that the Organisation lacked sufficiently robust processes to identify and correct any human error by their employees in the use of its system. The Organisation also did not have sufficiently robust retention policies. This resulted in the retention of email addresses of individuals who had unsubscribed to the Organisation’s newsletter and did not have any account with the Organisation. Remedial Actions After the incident, as part of a remediation plan, the Organisation: (a) immediately stopped any further sending of automated emails that had yet to be processed; (b) corrected the system settings; (c) implemented an additional layer of approval for all automated emails that have been modified by an employee to prevent erroneous changes; (d) sent apology emails to individuals who had received the erroneous emails; and (e) issued social media communications to inform all customers of the incident. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by the Organisation to improve its personal data protection practices, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 3 December 2021 (the “Undertaking”). The Undertaking provided that the Organisation was to complete the implementation of its remediation plan to develop and implement an automated feature to trigger anonymisation of email addresses belonging to customers who had unsubscribed from receiving from the Organisation’s newsletter and did not have any account with the Organisation. The Organisation has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-jade-e-services-singapore-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Jade E-Services Singapore Pte. Ltd. UEN: 201134432E Registered Address: 51 Bras Basah Road #07-01/04, Singapore 189554 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 2 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Jade E-Services Singapore Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) 3 ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A 5 SUMMARY OF FACTS 1. On 11 September 2021, the Organisation informed PDPC of an incident where marketing emails had been sent to was 456,868 individuals who did not consent to receiving such marketing emails. Of these 456,868 individuals, 165 had previously requested for their account to be terminated 2. The incident was attributed to human error by an employee who had erroneously made the wrong selection in the Organisation’s system. 6 SCHEDULE B 7 Measure Status/ Owner / Timeline Root Cause 1: Human error in the Campaign setup – “dispatch method” on Vendor’s Platform was erroneously changed by a ZALORA employee. The employee also (i) failed to ensure the correct audience subset was selected; and (ii) failed to double check the dispatch method settings when an alert message appeared informing her that changes to the dispatch method settings had been made. 1 Remediation Description Enhance Vendor’s Platform user SOP Enhancements and training.  Updates to SOPs arising from Measures 2 - 4 below Note: After the incident, the Head of CRM decided to reevaluate whether  Reminding and offering refresher courses to all team the current SOP and Training is members sufficient. All previous training material is readily available, and senior As the SOP and Training for Vendor’s members of the team are well equipped to train and guide Platform was evaluated to already be junior members. rigorous and effective, minimal enhancements were made. Existing SOP and Training prior to incident: All Vendor’s Platform users at ZALORA need to complete:  Vendor’s Platform courses (platform training courses to familiarize themselves with key features of the platform)  Five 3-hour training sessions with senior members to understand the purpose of the function and function specific setup requirements.  A short exercise that tests new members’ comprehension of topics taught at the end of every session. After completion of these 3 points, the following takes place as the new joiners are getting familiar with their roles: 8 Status: Done on 10 September 2021. Owner: CRM 2 Custom code nested in email HTML  Training SOP and materials are shared with all members as a form of reference.  Senior members vet through campaigns created by junior members until they are able to execute them independently.  Key information is reiterated throughout the training and onboarding process. This includes:  Ensuring proof test sends are only sent to internal users  Testing all communication before actual roll-out  Checking through all parts of the campaign setup on Vendor’s Platform before launch  Ensuring no roll-outs of any magnitude on any day before a period of long breaks (e.g. Friday, eve of public holidays) so that any errors can be picked up and rectified in a timely manner  Actively monitoring campaign send size and live emails post launch Changes in processes are also updated in individual functions’ SOP and all relevant team members are informed This custom code restricts email templates to be used only for: - Users from specific countries - Activated via a specific delivery method This bypasses the limitation of the Vendor’s platform guardrails. If an email template was selected for the user of another country (e.g. Malaysia) outside the intended country (e.g. Singapore) or delivery method, the email cannot be sent. This would mitigate the risk of another mass sending of emails to databases of all countries. 9 Status: Done on 13 September 2021 Owner: CRM 3 4 Send rate throttling – limiting number of emails per hour by campaign type Custom alert sent to CRM chat group on Vendor’s Platform when campaign changes are made on Vendor’s Platform This was applied to all email types for good measure. An individual setting for each campaign was implemented to cap the number of emails that can be sent per hour. Campaigns such as “Account Registration” would not have high volumes per hour. Thus if ZALORA detects abnormal activity, we will be able to stem the issue and limit the affected audiences. This was applied to all email types for good measure. This custom alert was created by ZALORA to extract information from Vendor’s Platform when a campaign change is made. This alert system (which is a dedicated CRM chat group on Vendor’s Platform) is available to the CRM team to check which campaigns have undergone a change, and the CRM team can intervene when an unintended change appears to have been made. 5 Vendor platform enhancement requests Made 4 key system enhancement requests to Vendor’s Platform. However, this is subject to discussion and development dependency on the part of Vendor’s Platform. 10 Status: Done on 20 September 2021 Owner: CRM Status: Done on 13 September 2021 Owner: CRM ZALORA has reached out to Vendor with proposed improvements, and this has been escalated to their HQ. Root Cause 2: Accidental retention of 165 individuals’ email addresses on ZALORA’s backend system (out of which 18 belong to our Singapore database) - This occurred due to a technical error in the implementation of the Data Anonymisation feature for ZALORA’s backend system in May 2020 to capture and anonymise 1 database table containing email addresses. 1 Review and fix Data Anonymisation ZALORA’s Tech team conducted a comprehensive review of feature on ZALORA’s backend system the Data Anonymisation feature on ZALORA’s backend system and its downstream systems. In particular to:  Investigate to identify if there are any discrepancies in ZALORA’s backend system and downstream systems to ensure that the anonymisation is effective.  In case of mismatch or any redundant data found, clean up the said data and set up an automated cleanup job. We have confirmed that: a) the root cause was the single database table within ZALORA’s backend system which inadvertently fell outside the scope of the Data Anonymisation feature, and once this technical error has been rectified there will not be any discrepancy in downstream systems as the anonymization methodology is effective; b) all anonymisation action taken on ZALORA’s backend system prior to adoption of new feature in May 2020 was properly implemented; and c) this issue has now been fully rectified and all account deletion requests will be properly attended to by way of the Data Anonymisation feature on ZALORA’s backend system. Status: Fix of Data Anonymisation feature completed on 22 Sept 2021. This is now rectified and fully resolved. Owner: Tech Root Cause 3: Retention of email addresses of individuals who had unsubscribed to our newsletter and do not have a Customer account with ZALORA - These email addresses were retained by ZALORA for business purposes, but ZALORA acknowledges the risks arising out of such retention and has re-evaluated the need to retain such email addresses on a nonanonymised basis 11 1 CRM, CS and Tech will work together to manually anonymise on ZALORA’s backend system the email addresses of Unsubscribed Users who fulfill the following criteria: 1) have unsubscribed from Newsletter; 2) do not have a Customer account with ZALORA; and 3) have been on unsubscribed status for 30 days. All email addresses belonging to Unsubscribed Users who fulfil the criteria with: (a) ZALORA Singapore have been anonymized manually by CRM, CS and Tech team as at 21 October 2021; and (b) ZALORA regionally (other than Singapore) will be anonymised manually by CRM, CS and Tech team by the end of October 2021. With the anonymisation of such email addresses, we are of the view that the retention risk has and will be significantly mitigated. Status: This process has been implemented for ZALORA Singapore on 21 October 2021 and will be implemented for ZALORA regionally (other than Singapore) by the end of October 2021. This process will continue manually until the automated process (see measure 2) is in place 2 Owner: CRM x CS x Tech Tech will develop and implement an This automated feature to be developed and implemented will Owner: Tech automated feature and process in the remove the need for a manual process (see measure 1) and ZALORA’s backend system to trigger mitigate any missed emails or human error. Timeline: To the develop and anonymisation of email addresses implement belonging to Unsubscribed Users automated who fulfil the following criteria: 12 process by end of Q1 2022 1) have unsubscribed from Newsletter; 2) do not have a Customer account with ZALORA; and 3) have been on unsubscribed status for 30 days. 13 ",1007 15,cc49b316e5869915f0d8c07eab9094eb11898cc4,15,JT Legal LLC,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-JT-Legal-LLC,2022-01-14,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 16 June 2021 from JT Legal LLC (“JTL”). JTL stated that it had been subjected to an email phishing attack which allowed the threat actor to access and view files on JTL’s SharePoint. The personal data of approximately 1,006 individuals were at risk. The datasets affected comprised the names, addresses, email addresses, NRIC numbers and passport numbers. It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, (c) a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. Remedial Actions After the incident, as part of a remediation plan, JTL promptly implemented the following measures: (a) Implemented Multi-Factor Authentication for all user accounts; (b) Secured files and documents using password protection; (c) Implemented dedicated anti-virus on all computers; (d) Conducted a review of IT infrastructure; (e) Implemented further security measures; (f) Developed an internal reporting system; (g) Implemented training and awareness programmes for its employees; and (h) Reviewed and updated its personal data protection policy. Undertaking  The Commission recognises that JTL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from JTL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 27 August 2021 (the “Undertaking”). The Undertaking provided that JTL has to complete its implementation of the remediation plan. This includes a professional review of its IT infrastructure and other measures outlined within the remediation plan. JTL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and is satisfied that JTL has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-jt-legal-llc-5-april-2022.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: JT Legal LLC UEN: 201706016E Registered Address: 12 Marina Boulevard #17-01 Marina Bay Financial Centre, Tower 3, Singapore (018982) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX , and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 2 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. 3 SIGNED, for and on behalf of ) JT Legal LLC ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: _____Yeong Zee Kin______________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A SUMMARY OF FACTS 1. On 4 June 2021, the Organisation was subjected to a phishing attack where a phishing email was sent twice to joshua@jtlegal.com from noreply@dropbox.com with the following subject: “Jaya Shakila wants to access your file “JT Legal LLC New Details.pdf”. 2. As a result of the attack, the personal data of the Organisation’s approximately 1,006 users including their name, residential address, email address, NRIC numbers and passport numbers were affected. 5 SCHEDULE B S/N Item Status Target Date of Completion (Month-Year) 1. Implementation of Multi-Factor Authentication Completed Jul-21 In progress Aug-21 In progress Aug-21 In progress Sep-21 Completed Jul-21 Multi-Factor Authentication (“MFA”) will be implemented for all user accounts of the organisation. 2. Implementation of a dedicated anti-virus on computers within the organisation Anti-virus software is to be installed on all organisation computers to increase the organisation’s protection and security to external cyber threats. 3. Cyber security awareness & competency The organisation will conduct periodic unannounced tests to assess the competency of staff in recognising and responding to potential phishing attempts. 4. Training of staff to develop cyber security awareness and competency The organisation will develop basic cyber security training for staff of the organisation to be conducted on an annual basis to ensure that staff possess a reasonable level of cyber security competency. New staff to the organisation are to complete the mandatory basic cyber security training. 5. Protection of key data sheets Key data sheets containing collations of personal data collected by the organisation in the course of its business will be encrypted with a password. 6 Access to such key data sheets will be provided on a need to know basis. 6. Immediate remedial actions taken: Completed Jun-21 In progress Sep-21 a. Change of all passwords for all user accounts; b. Change of all passwords for all online databases, cloud-based services, subscription-based services and programs used by the organisation as an added security measure; c. Virus scans conducted on the computers used to access the breached email account of the organisation; and d. Anonymisation of personal data stored on the organisations’ key data sheets containing collations of personal data where possible. 7. Review of internal data collection procedures and policy A review of the organisation’s internal data collection policies will be conducted to ensure that personal data will not be unnecessarily collected or retained. A review of the organisation’s internal data collection procedure will be conducted to ensure personal data collected in the course of its business are properly stored and anonymised if unnecessary. Development of the organisation’s password policy to ensure strong passwords are employed by the organisation. 7 8. Reformat of possible breached computers In progress Aug-21 In progress Nov-21 Completed Jul-21 The organisation will reformat computers of the organisation that had been used to access the email that had been breached. 9. Professional review of IT infrastructure and systems and subsequent implementation of further actions recommended Engagement of an IT service professional to review the organisation’s current IT infrastructure and systems to further prepare and prevent against future cyber-attacks. Implementation of further security measures as recommended by the engaged IT service professional to upgrade the organisation’s cyber security measures. 10. Development of an internal reporting system Potential phishing attempts or emails containing malware sent to an individual in the organisation are reported so that all staff are kept updated and may be kept abreast of the potential security risk. All staff have been heavily encouraged to seek assistance if they are unsure whether an email may be a phishing attempt or if they are unable to ascertain whether an email may contain malware or a link to a suspicious internet domain. 8 ",1007 14,e9041fe8eb095696f0435c0a3ea023f11d0ef556,14,Fujioh International Trading Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Fujioh-International-Trading-Pte-Ltd,2021-11-11,"Background  The Personal Data Protection Commission (the “Commission”) received information on 24 August 2020 that Fujioh International Trading Pte Ltd’s (“Fujioh”) website had been affected by URL manipulation, resulting in its customers’ personal data being exposed on Fujioh’s online warranty system on its website. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. The personal data of 2,771 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email and telephone number.  It was established that Fujioh (a) had application weakness in the receipt submission process of their online warranty system, (b) did not have proper data protection clauses in its contract with its vendor, and (c) had insufficient data protection management.  Remedial Actions After the incident, as part of a remediation plan, Fujioh had:  (a) introduced session tokens in the online warranty system that expires at the end of each receipt;  (b) replaced its online warranty system to fix undetected vulnerabilities;  (c) established a Data Protection Management Programme that consisted of drafting of polices and notices, establishment of procedures, templates, data inventory map, training data protection curriculum for employees; and  (d) established checklists, procedures and templates for 3rd party vendors.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Fujioh to improve its personal data protection practices, the Commission accepted an undertaking from Fujioh to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2021 (the “Undertaking”).  The Undertaking provided that Fujioh was to complete implementation of its remediation plan by replacing its online warranty system to fix undetected vulnerabilities.  Fujioh has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Fujioh has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Fujioh-International-Trading-Pte-Ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Fujioh International Trading Pte Ltd UEN: 199305801D Registered Address: 130 Joo Seng Road, #05-05, Singapore 368357 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Fujioh International Trading Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ___Yeong Zee Kin_______________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 24 August 2020, the Organisation’s website was subject to URL manipulation resulting in its customers’ personal data being exposed via uploaded receipt images. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. 2. As a result of the attack, the personal data of the Organisation’s approximately 2,771 users including their name, residential address, email address and telephone number were affected. SCHEDULE B Causes of Incident Remediation Plan 1 Application weakness in the receipt submission process of their online warranty system Introduced session tokens in the online warranty system that expires at the end of each receipt submission 2 Application weakness in the receipt submission process of their online warranty system Replacement of current online warranty system to fix undetected vulnerabilities Target completion by 30 Sep 2021 3 Insufficient data protection management Establish DPMP Completed on 28 Feb 2020 a. Draft policies and notices Target Completion Completed on 25 Aug 2020 b. Establish procedures and templates c. Establish data inventory map d. Establish training data protection curriculum for employees 3 Not having proper data protection clauses in its contract with vendor Establish checklists, procedures and templates for 3rd party vendors: i. Checklists for IT vendors providing IT solutions to FIT ii. Checklists for vendors processing FIT’s personal data; iii. SOPs for 3rd parties handling FIT’s personal data. Completed on 28 Feb 2020 ",1002 47,b3716d3b875e6cb88be06cc7d68272f01b42decd,14,Fujioh International Trading Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-fujioh-international-trading-pte-ltd,2021-11-11,"Background  The Personal Data Protection Commission (the “Commission”) received information on 24 August 2020 that Fujioh International Trading Pte Ltd’s (“Fujioh”) website had been affected by URL manipulation, resulting in its customers’ personal data being exposed on Fujioh’s online warranty system on its website. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. The personal data of 2,771 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email and telephone number.  It was established that Fujioh (a) had application weakness in the receipt submission process of their online warranty system, (b) did not have proper data protection clauses in its contract with its vendor, and (c) had insufficient data protection management.  Remedial Actions After the incident, as part of a remediation plan, Fujioh had:  (a) introduced session tokens in the online warranty system that expires at the end of each receipt;  (b) replaced its online warranty system to fix undetected vulnerabilities;  (c) established a Data Protection Management Programme that consisted of drafting of polices and notices, establishment of procedures, templates, data inventory map, training data protection curriculum for employees; and  (d) established checklists, procedures and templates for 3rd party vendors.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Fujioh to improve its personal data protection practices, the Commission accepted an undertaking from Fujioh to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2021 (the “Undertaking”).  The Undertaking provided that Fujioh was to complete implementation of its remediation plan by replacing its online warranty system to fix undetected vulnerabilities.  Fujioh has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Fujioh has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---fujioh-international-trading-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Fujioh International Trading Pte Ltd UEN: 199305801D Registered Address: 130 Joo Seng Road, #05-05, Singapore 368357 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Fujioh International Trading Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ___Yeong Zee Kin_______________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 24 August 2020, the Organisation’s website was subject to URL manipulation resulting in its customers’ personal data being exposed via uploaded receipt images. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. 2. As a result of the attack, the personal data of the Organisation’s approximately 2,771 users including their name, residential address, email address and telephone number were affected. SCHEDULE B Causes of Incident Remediation Plan 1 Application weakness in the receipt submission process of their online warranty system Introduced session tokens in the online warranty system that expires at the end of each receipt submission 2 Application weakness in the receipt submission process of their online warranty system Replacement of current online warranty system to fix undetected vulnerabilities Target completion by 30 Sep 2021 3 Insufficient data protection management Establish DPMP Completed on 28 Feb 2020 a. Draft policies and notices Target Completion Completed on 25 Aug 2020 b. Establish procedures and templates c. Establish data inventory map d. Establish training data protection curriculum for employees 3 Not having proper data protection clauses in its contract with vendor Establish checklists, procedures and templates for 3rd party vendors: i. Checklists for IT vendors providing IT solutions to FIT ii. Checklists for vendors processing FIT’s personal data; iii. SOPs for 3rd parties handling FIT’s personal data. Completed on 28 Feb 2020 ",1007 13,4a798725b22da14eeb19302545d82f57b69ae88c,13,MindChamps Preschool Limited,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-MindChamps-Preschool-Limited,2021-09-21,"Background  The Personal Data Protection Commission (the “Commission”) received information on 27 February 2020, informing that a dataset containing the personal data of the users of MindChamps Preschool Limited’s (“MindChamps”) mobile application was publicly accessible via an internet link. Personal data of approximately 6,521 individuals were affected, namely, email addresses, login passwords and mobile numbers. In addition, the birth certificate numbers of 607 minors were also at risk of unauthorised disclosure. Remedial Actions After the incident, as part of a remediation plan, MindChamps: (a) engaged an external IT consultant to determine the cause of the incident;  (b) performed a password reset for all the user accounts of its mobile application; and  (c) migrated all users to a newly designed mobile application.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by MindChamps to improve its data protection practices, the Commission accepted an undertaking from MindChamps to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 7 January 2021 (the “Undertaking”).  The Undertaking provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. In addition, MindChamps would also conduct training for its employees and ensure their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects. MindChamps has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that MindChamps has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---MindChamps.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: MindChamps PreSchool Limited UEN: 200814577H Registered Address: 6 Raffles Boulevard, #04-100 Marina Square, Singapore 039594 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 23 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to Page 2 of 6 suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and MindChamps PreSchool Limited. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 6 SIGNED, for and on behalf of ) MindChamps PreSchool Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Remediation Actions by the Organisations 1 To carry out Data Protection and Security Reviews on all of its current front end and backend IT systems. Specific Measures to be done A Data Protection Review would include: (a) Assessment of the need for the system; (b) Updating the personal data inventory; (c) Risk identification in relation to personal data; and (d) Measures to be taken to mitigate risks identified. A Security Review includes: (a) Carrying out Vulnerability Assessment and Penetration Testing (VAPT), or obtaining results of VAPTs already carried out by service providers, eg. for SoftwareAs-A-Service; (b) Updating and patching computer software; (c) Installing or updating appropriate computer security software (including virus checking) and using suitable computer security settings; and (d) Adopting appropriate access controls (i.e. User passwords, screen saver passwords and limiting access to shared network drives to authorized personnel). 2 To review and ensure compliance with its existing policies on Vendor Security Target Completion 1st Month – Identify and prioritise all IT systems 2nd to 3rd Month – Carry out Data Protection & Security reviews on High Priority IT Systems 4th to 6th Month – Carry out Data Protection & Security Reviews on Low Priority IT Systems End of 6th Month – Produce Reports on IT Systems where Data Protection & Security reviews had been carried out Vendor Security Management Policy 1st Month – for new IT projects covers: Carry out (a) Engagement Planning; training for all IT and other Page 5 of 6 Management and Data Protection Impact Assessment for new IT projects (b) Vendor Selection / Due Diligence; (c) Contracting (including clauses on Scope and Services, Service Levels and Risk Management Standards, Notification on Adverse Developments, Business Continuity, Dispute Resolution, Subcontracting, Confidentiality and Privacy, Compliance and Termination); (d) After Boarding a New Vendor; and (e) Exit / Renewal. Guidelines for DPIAs on new IT projects consists of: (a) Description of the project; (b) Nature, scope, objectives and purposes of data processing; (c) Assessment of the need for the system; (d) Measures taken in terms of information security, compliance requirements, etc.; (e) Risk identification and assessment in relation to personal data; and (f) Measures to be taken to mitigate risks identified. relevant staff on the VSMP and DPIA. End of 6th Month - Review and report on compliance with the VSMP and DPIA for new IT Projects during the 6 months prior. Thereafter, training on the VSMP and DPIA and review of compliance to the VSMP and DPIA for new IT Projects will be repeated on an annual basis. Page 6 of 6 ",1002 46,459a3108f1cf9f634cc30664736c5fcd2c20fb81,13,MindChamps Preschool Limited,https://www.pdpc.gov.sg/undertakings/undertaking-by-mindchamps-preschool-limited,2021-09-21,"Background  The Personal Data Protection Commission (the “Commission”) received information on 27 February 2020, informing that a dataset containing the personal data of the users of MindChamps Preschool Limited’s (“MindChamps”) mobile application was publicly accessible via an internet link. Personal data of approximately 6,521 individuals were affected, namely, email addresses, login passwords and mobile numbers. In addition, the birth certificate numbers of 607 minors were also at risk of unauthorised disclosure. Remedial Actions After the incident, as part of a remediation plan, MindChamps: (a) engaged an external IT consultant to determine the cause of the incident;  (b) performed a password reset for all the user accounts of its mobile application; and  (c) migrated all users to a newly designed mobile application.  Undertaking  Having considered the circumstances of the case, including the remedial steps taken by MindChamps to improve its data protection practices, the Commission accepted an undertaking from MindChamps to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 7 January 2021 (the “Undertaking”).  The Undertaking provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. In addition, MindChamps would also conduct training for its employees and ensure their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects. MindChamps has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that MindChamps has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---mindchamps.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: MindChamps PreSchool Limited UEN: 200814577H Registered Address: 6 Raffles Boulevard, #04-100 Marina Square, Singapore 039594 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 23 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to Page 2 of 6 suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and MindChamps PreSchool Limited. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 6 SIGNED, for and on behalf of ) MindChamps PreSchool Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Remediation Actions by the Organisations 1 To carry out Data Protection and Security Reviews on all of its current front end and backend IT systems. Specific Measures to be done A Data Protection Review would include: (a) Assessment of the need for the system; (b) Updating the personal data inventory; (c) Risk identification in relation to personal data; and (d) Measures to be taken to mitigate risks identified. A Security Review includes: (a) Carrying out Vulnerability Assessment and Penetration Testing (VAPT), or obtaining results of VAPTs already carried out by service providers, eg. for SoftwareAs-A-Service; (b) Updating and patching computer software; (c) Installing or updating appropriate computer security software (including virus checking) and using suitable computer security settings; and (d) Adopting appropriate access controls (i.e. User passwords, screen saver passwords and limiting access to shared network drives to authorized personnel). 2 To review and ensure compliance with its existing policies on Vendor Security Target Completion 1st Month – Identify and prioritise all IT systems 2nd to 3rd Month – Carry out Data Protection & Security reviews on High Priority IT Systems 4th to 6th Month – Carry out Data Protection & Security Reviews on Low Priority IT Systems End of 6th Month – Produce Reports on IT Systems where Data Protection & Security reviews had been carried out Vendor Security Management Policy 1st Month – for new IT projects covers: Carry out (a) Engagement Planning; training for all IT and other Page 5 of 6 Management and Data Protection Impact Assessment for new IT projects (b) Vendor Selection / Due Diligence; (c) Contracting (including clauses on Scope and Services, Service Levels and Risk Management Standards, Notification on Adverse Developments, Business Continuity, Dispute Resolution, Subcontracting, Confidentiality and Privacy, Compliance and Termination); (d) After Boarding a New Vendor; and (e) Exit / Renewal. Guidelines for DPIAs on new IT projects consists of: (a) Description of the project; (b) Nature, scope, objectives and purposes of data processing; (c) Assessment of the need for the system; (d) Measures taken in terms of information security, compliance requirements, etc.; (e) Risk identification and assessment in relation to personal data; and (f) Measures to be taken to mitigate risks identified. relevant staff on the VSMP and DPIA. End of 6th Month - Review and report on compliance with the VSMP and DPIA for new IT Projects during the 6 months prior. Thereafter, training on the VSMP and DPIA and review of compliance to the VSMP and DPIA for new IT Projects will be repeated on an annual basis. Page 6 of 6 ",1007 12,bf8314bbb67139fb3195e857b03fd2e125c3c50d,12,Equity Solution Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Equity-Solution-Pte-Ltd,2021-08-12,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 February 2021 from Equity Solution Pte Ltd (“ESPL”), informing that ESPL had been subject to a phishing attack after a staff member opened an email containing an excel file with a macro-enabled malware. The personal data of approximately 1,359 individuals was affected. The affected datasets comprised the affected individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information. It was established that (a) ESPL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations.  Remedial Actions After the incident, as part of a remediation plan, ESPL promptly implemented the following measures: (a) Secured files and documents using password protection;  (b) Hardened its operating system; (c) Implemented a strong password protection policy; (d) Reviewed and updated its email usage policy;  (e) Implemented training and awareness programmes for its employees; and (f) Reviewed and updated its personal data protection policy.Undertaking  Undertaking The Commission recognises that ESPL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from ESPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 8 June 2021 (the “Undertaking”).  The Undertaking provided that ESPL was to complete implementation of its remediation plan by subscribing to an email service provider with greater privacy and security features, and enhancing its data security processes. ESPL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that ESPL has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Equity-Solution-Pte-Ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Equity Solution Pte Ltd UEN: 201601961Z Registered Address: 16 Kallang Pl #07-03 Singapore (339156) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Equity Solution Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: _____Yeong Zee Kin______________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 3 February 2021, the Organisation was subjected to a phishing attack after a staff opened an email containing an excel file with a macro-enabled malware. 2. As a result of the attack, the personal data of the Organisation’s approximately 1,359 users including their name, residential address, date of birth, NRIC numbers, passport numbers and financial information were affected. SCHEDULE B Remediation Plan Status Date of Completion February 2021 Remedial Actions Taken in Response to the Incident The following are the remedial actions which had been adopted in response to the Incident: (1) ES has changed its passwords of the affected email account on 19 February 2021. (2) ES engaged CS Intelligence to conduct a scan on the compromised laptop to ensure that there are no traces of any malware or malicious files. (3) ES has deleted all email containing personal data or attachments with personal data from the inbox and sent folder of the affected email account on 22 February 2021. (4) ES has stopped the use of cloud storage services and migrated all the electronic files containing personal data into an external hard drive. (5) The external portable hard drive will be stored securely in a locked drawer in the office when not in use. Completed Securing Files and Documents using Password Protection ES will move password protect all of its electronic files containing personal data of its customers when transmitting it by way of email and require that all of its business partners to do the same. The password to the files will be sent in a separate email. This is to reduce risk of ES falling victim to phishing emails and mitigate the risk of data exfiltration. This policy change will be reflected in ES’s DPMP. Hardening of Operating System (1) ES will ensure that the windows OS firewall is activated and updated to deny unauthorised inbound connection and only allow approved outbound connection. (2) ES will remove and disable non-essential software, drivers, services, file sharing, and functionality which could act as back doors to the system. (3) ES will turn on the HDD encryption, such as windows BitLocker, to prevent any data exfiltration Completed February 2021 Completed February 2021 in the event the computer were to be stolen or when there is a HDD replacement (4) ES will subscribe to a managed service provider (MSP) with 24x7 protection by Security Operation Centre provided by CS Intelligence (CSI) to monitor and protection against potential malicious activities. The CXO will be installed on the company laptops to safeguard the computers from advance malware that does keylogging activities, ransomware, code injections and other potentially malicious acts. A copy of the promotional material for the CXO package is annexed hereto. Implementing Strong Password Protection Completed Policy ES will require its employees to change their login credentials for both their laptops and email accounts regularly every month using a complex password combination. All passwords must contain at least 1 uppercase alphabet, 1 lowercase alphabet and 1 special symbol. February 2021 Reviewing and Updating Email Usage Policy Completed The inbox and sent folder of ES email accounts will be reviewed once every 6 months for emails containing personal data or email attachments containing personal data. Such emails and/or email attachments will be password protected and archived in ES’s offline external portable hard drive to be kept in a secured locked drawer/safe and deleted from the inbox and/or sent folder once the transaction or the matter to which they relate have concluded. ES will also review its email account access logs regularly to detect if there is suspicious login outside of Singapore. Implementing Training and Awareness Completed Programme for Employees User training awareness will be implemented to be more vigilant and learn how to identify legitimate email without clicking on any unknown or suspicious emails. A refresher course will also be carried out for its employees on the PDPA obligations, as well as inform them of the company’s updated data protection policies and processes. February 2021 May 2021 Reviewing and Updating Personal Data Protection Policy A review of the company’s policies and processes will be conducted by compiling and supplementing existing personal data protection policies and processes into the company’s Data Management Programme (DPMP). Completed May 2021 Subscribing to Reputable Email Service In progress July 2021 Provider ES will change its email hosting service provider from Vodien to Microsoft Office which provides greater privacy and security features to prevent unauthorised access, such as two-factor authentication logins, as well as anti-spam, antimalware, and anti-phishing features to scan and flag out emails with potentially malicious file attachments. In particular, Microsoft has an implicit email authentication built in which verifies that email messages from a sender are legitimate and come from expected sources. Once ES has changed its email hosting service provider, ES will turn on its two-factor authentication as a secondary authentication to all of its email addresses to prevent unauthorised access to the accounts. ES would also be enquiring on other email hosting service provider such as google, adnovum, bluehost and godaddy for such purposes. Data Security Enhancement: In progress July 2021 Data would be transferred to a Seagate external hard drive which is equipped with password protection and AES-256 hardware encryption to prevent data exfiltration in the event that the external hard drive is lost. The external portable hard drive will be stored securely in a locked drawer in the office when not in use. ",1002 45,4b84132c40dc7ce974ad12d8f9104f27168d095b,12,Equity Solution Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-equity-solution-pte-ltd,2021-08-12,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 February 2021 from Equity Solution Pte Ltd (“ESPL”), informing that ESPL had been subject to a phishing attack after a staff member opened an email containing an excel file with a macro-enabled malware. The personal data of approximately 1,359 individuals was affected. The affected datasets comprised the affected individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information. It was established that (a) ESPL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations.  Remedial Actions After the incident, as part of a remediation plan, ESPL promptly implemented the following measures: (a) Secured files and documents using password protection;  (b) Hardened its operating system; (c) Implemented a strong password protection policy; (d) Reviewed and updated its email usage policy;  (e) Implemented training and awareness programmes for its employees; and (f) Reviewed and updated its personal data protection policy.Undertaking  Undertaking The Commission recognises that ESPL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from ESPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 8 June 2021 (the “Undertaking”).  The Undertaking provided that ESPL was to complete implementation of its remediation plan by subscribing to an email service provider with greater privacy and security features, and enhancing its data security processes. ESPL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that ESPL has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---equity-solution-pte-ltd.pdf,"WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Equity Solution Pte Ltd UEN: 201601961Z Registered Address: 16 Kallang Pl #07-03 Singapore (339156) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Equity Solution Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: _____Yeong Zee Kin______________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A SUMMARY OF FACTS 1. On 3 February 2021, the Organisation was subjected to a phishing attack after a staff opened an email containing an excel file with a macro-enabled malware. 2. As a result of the attack, the personal data of the Organisation’s approximately 1,359 users including their name, residential address, date of birth, NRIC numbers, passport numbers and financial information were affected. SCHEDULE B Remediation Plan Status Date of Completion February 2021 Remedial Actions Taken in Response to the Incident The following are the remedial actions which had been adopted in response to the Incident: (1) ES has changed its passwords of the affected email account on 19 February 2021. (2) ES engaged CS Intelligence to conduct a scan on the compromised laptop to ensure that there are no traces of any malware or malicious files. (3) ES has deleted all email containing personal data or attachments with personal data from the inbox and sent folder of the affected email account on 22 February 2021. (4) ES has stopped the use of cloud storage services and migrated all the electronic files containing personal data into an external hard drive. (5) The external portable hard drive will be stored securely in a locked drawer in the office when not in use. Completed Securing Files and Documents using Password Protection ES will move password protect all of its electronic files containing personal data of its customers when transmitting it by way of email and require that all of its business partners to do the same. The password to the files will be sent in a separate email. This is to reduce risk of ES falling victim to phishing emails and mitigate the risk of data exfiltration. This policy change will be reflected in ES’s DPMP. Hardening of Operating System (1) ES will ensure that the windows OS firewall is activated and updated to deny unauthorised inbound connection and only allow approved outbound connection. (2) ES will remove and disable non-essential software, drivers, services, file sharing, and functionality which could act as back doors to the system. (3) ES will turn on the HDD encryption, such as windows BitLocker, to prevent any data exfiltration Completed February 2021 Completed February 2021 in the event the computer were to be stolen or when there is a HDD replacement (4) ES will subscribe to a managed service provider (MSP) with 24x7 protection by Security Operation Centre provided by CS Intelligence (CSI) to monitor and protection against potential malicious activities. The CXO will be installed on the company laptops to safeguard the computers from advance malware that does keylogging activities, ransomware, code injections and other potentially malicious acts. A copy of the promotional material for the CXO package is annexed hereto. Implementing Strong Password Protection Completed Policy ES will require its employees to change their login credentials for both their laptops and email accounts regularly every month using a complex password combination. All passwords must contain at least 1 uppercase alphabet, 1 lowercase alphabet and 1 special symbol. February 2021 Reviewing and Updating Email Usage Policy Completed The inbox and sent folder of ES email accounts will be reviewed once every 6 months for emails containing personal data or email attachments containing personal data. Such emails and/or email attachments will be password protected and archived in ES’s offline external portable hard drive to be kept in a secured locked drawer/safe and deleted from the inbox and/or sent folder once the transaction or the matter to which they relate have concluded. ES will also review its email account access logs regularly to detect if there is suspicious login outside of Singapore. Implementing Training and Awareness Completed Programme for Employees User training awareness will be implemented to be more vigilant and learn how to identify legitimate email without clicking on any unknown or suspicious emails. A refresher course will also be carried out for its employees on the PDPA obligations, as well as inform them of the company’s updated data protection policies and processes. February 2021 May 2021 Reviewing and Updating Personal Data Protection Policy A review of the company’s policies and processes will be conducted by compiling and supplementing existing personal data protection policies and processes into the company’s Data Management Programme (DPMP). Completed May 2021 Subscribing to Reputable Email Service In progress July 2021 Provider ES will change its email hosting service provider from Vodien to Microsoft Office which provides greater privacy and security features to prevent unauthorised access, such as two-factor authentication logins, as well as anti-spam, antimalware, and anti-phishing features to scan and flag out emails with potentially malicious file attachments. In particular, Microsoft has an implicit email authentication built in which verifies that email messages from a sender are legitimate and come from expected sources. Once ES has changed its email hosting service provider, ES will turn on its two-factor authentication as a secondary authentication to all of its email addresses to prevent unauthorised access to the accounts. ES would also be enquiring on other email hosting service provider such as google, adnovum, bluehost and godaddy for such purposes. Data Security Enhancement: In progress July 2021 Data would be transferred to a Seagate external hard drive which is equipped with password protection and AES-256 hardware encryption to prevent data exfiltration in the event that the external hard drive is lost. The external portable hard drive will be stored securely in a locked drawer in the office when not in use. ",1007 10,ab34617b61ded83277fee4392b60509b7a1f6eaf,10,Assisi Hospice,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Assisi-Hospice,2021-07-12,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance. The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases.  It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List.  Remedial Actions After the incident, as part of the remediation plan, Assisi:  (a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead;  (b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself; (c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email containing sensitive and/or confidential data to non-work email accounts; and  (d) reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies.   Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Assisi to improve its personal data protection practices, the Commission accepted an undertaking from Assisi to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 16 December 2020 (the “Undertaking”).  The Undertaking provided that Assisi was to complete the implementation of its remediation plan, that is to set alerts in its email system to alert the sender whenever there is sensitive information like a NRIC number or FIN in the email body and/or whenever there is a NRIC number or FIN in an attachment that is not password protected.  Assisi has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Assisi has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Assisi-Hospice.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Assisi Hospice UEN: 201208993Z Registered Address: 80 Raffles Place, #32-01, UOB Plaza, Singapore 048624 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 15 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Assisi Hospice. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Assisi Hospice ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A Causes of Incident 1 Human error Remediation Plan Cease with immediate effect the distribution of softcopy patient list to after hours on-call staff. Target Completion Completed Staff to use electronic patient records for reference instead. 2 No enforcement of existing personal data protection policy comprising password policy with regard to the sending of confidential information via email Enhance data protection policy which comprises the following: Completed Ensure attachments in emails are password protected and to send password in a separate channel or a separate email (only when WhatsApp or SMS it not possible). Use only official work email accounts for communication of all work-related items. Do not send out any emails containing sensitive and/or confidential data to a noncorporate/personal email address i.e. Gmail or Yahoo. To mask personal data in body in emails without attachments. DPO to send quarterly emails to remind staff of the policies. 3 Failure of administrative officer to ensure work processes are in line with existing data protection policy Review every department’s detailed work process in relation to management of personal data. Completed 4 Absence of alerts to alert sender when email contains sensitive information Set alerts in Office 365 to alert sender whenever there is sensitive information like NRIC Number in an email body. Target completion date: 2 February 2021 ",1002 11,e55f71c048b6c6681cdad2a75fd0e29cf2a8721b,11,Thye Hua Kwan Moral Charities Limited,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Thye-Hua-Kwan-Moral-Charities-Limited,2021-07-12,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 April 2020 from Thye Hua Kwan Moral Charities Limited (“THKMC”), after THKMC discovered that its website was hacked. Investigations revealed that malicious actors had gained access to the web content management system, by altering a web configuration file which had been left in a public directory without protection for the usage of the file. The employee tasked with the administration of the website lacked the requisite technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of 550 volunteers was at risk of unauthorised access. However, investigation by THKMC found no evidence of data loss or access by third party visitors. The types of personal data which were at risk included the volunteers’ names, residential telephone numbers, mobile numbers, email addresses, residential addresses, dates of birth, volunteering experiences, and interests. Remedial Actions After the incident, as part of the remediation plan, THKMC: (a) engaged a professional web development vendor to re-build its website to conform with established web security standards and the Open Web Application Security Project (OWASP) guidelines; (b) took preventive measures to harden the website by subscribing to cyber security threat monitoring software and updating the Firewall IP tables with the blacklisted IPs of past attackers; (c) discontinued the storage of personal data on its new website. The volunteer sign-up page and database were outsourced to a third -party cloud-based volunteer management portal which has a set of security controls to protect the personal data that it collects; (d) migrated internal report submission services from the THKMC internet website to THKMC intranet staff portal, which is a more secured environment; (e) assigned control of website administration (previously administered by its Corporate Communications Department) and operations hosted by Amazon Web Services to its IT Department; (f) implemented mandatory annual cyber security training and online quiz for all THKMC staff. Staff from the IT department are also required to attend relevant training courses to upgrade their knowledge and competency in cyber security; (g) implemented periodic unannounced phishing exercises to test the alertness of staff to cyber threats; (h) made enhancements to its end point protection and email security; and (i) developed a cyber security policy and an incident response and crisis management policy. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by THKMC to improve its personal data protection practices, the Commission accepted an undertaking from THKMC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”).  The Undertaking provided that THKMC was to complete the implementation of its remediation plan. THKMC has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that THKMC has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Thye-Hua-Kwan-Moral-Charities-5-April-2022.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Thye Hua Kwan Moral Charities Limited UEN: 201130733N Registered Address: 1 North Bridge Road, #03-33, High Street Centre, Singapore 179094 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 27 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 6 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in Page 2 of 6 clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Thye Hua Kwan Moral Charities Limited. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Thye Hua Kwan Moral Charities Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) Page 3 of 6 By the following: ) Yeong Zee Kin Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Status Date of Completion (Month-Year) Completed Apr-20 The new THKMC webserver does not store any personal data. The volunteer sign-up page and database were discontinued on the new website as the service would be outsourced to a third-party cloud-based volunteer management portal which has a set of security controls application to protect the data that it collects. Completed Jun-20 Preventive measures were taken to harden the website by subscribing to cyber security threat monitoring software and update the AWS Firewall IP tables with the blacklisted IPs of past attackers. Completed Jun-20 To migrate internal report submission services from the THKMC internet website to THKMC intranet staff portal, a more secured environment. In progress Apr-21 Tighten System Admin Processes Completed Apr-20 Completed May-20 Item Strengthen System Security A professional web development vendor was engaged to re-build the website to adhere to the Open Web Application Security Project (OWASP) guidelines. The new website conforms to established web security standards and guidelines according to OWASP. IT Dept has taken control of the website administrations and operations hosted by Amazon Web Services (AWS) from Web Content Management Team (CCD). Limited the number of Administrator Account for WordPress to two to minimise risk, one of which is held by the IT Team. All other users are given limited access rights. A matrix User Roles and Responsibilities for WordPress usage was created and managed by the IT Team. Page 5 of 6 Develop Cyber Security Awareness & Competency Completed On-going Ensure IT staff attend relevant training course to upgrade their knowledge and competency in cyber security. In progress Mar-21 Conduct periodic unannounced phishing exercises to test the alertness of our staff to cyber threats. In progress Jan-21 Strengthen Cyber Defence In progress Nov-20 Email Security deployment Completed Oct-20 Development of Cyber Security Policy In progress Mar-21 Incident Response and Crisis Management Policy In progress Mar-21 To make it mandatory for all staff to complete the cyber security training and passed the online quiz annually. The requirement should be recorded as an annual training target of the individual staff performance appraisal. End Point Protection Enhancements Page 6 of 6 ",1002 43,30081504f92e776c405ad20bc7a5007e7d728f83,10,Assisi Hospice,https://www.pdpc.gov.sg/undertakings/undertaking-by-assisi-hospice,2021-07-12,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance. The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases.  It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List.  Remedial Actions After the incident, as part of the remediation plan, Assisi:  (a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead;  (b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself; (c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email containing sensitive and/or confidential data to non-work email accounts; and  (d) reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies.   Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Assisi to improve its personal data protection practices, the Commission accepted an undertaking from Assisi to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 16 December 2020 (the “Undertaking”).  The Undertaking provided that Assisi was to complete the implementation of its remediation plan, that is to set alerts in its email system to alert the sender whenever there is sensitive information like a NRIC number or FIN in the email body and/or whenever there is a NRIC number or FIN in an attachment that is not password protected.  Assisi has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Assisi has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-assisi-hospice.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Assisi Hospice UEN: 201208993Z Registered Address: 80 Raffles Place, #32-01, UOB Plaza, Singapore 048624 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 15 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Assisi Hospice. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Assisi Hospice ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A Causes of Incident 1 Human error Remediation Plan Cease with immediate effect the distribution of softcopy patient list to after hours on-call staff. Target Completion Completed Staff to use electronic patient records for reference instead. 2 No enforcement of existing personal data protection policy comprising password policy with regard to the sending of confidential information via email Enhance data protection policy which comprises the following: Completed Ensure attachments in emails are password protected and to send password in a separate channel or a separate email (only when WhatsApp or SMS it not possible). Use only official work email accounts for communication of all work-related items. Do not send out any emails containing sensitive and/or confidential data to a noncorporate/personal email address i.e. Gmail or Yahoo. To mask personal data in body in emails without attachments. DPO to send quarterly emails to remind staff of the policies. 3 Failure of administrative officer to ensure work processes are in line with existing data protection policy Review every department’s detailed work process in relation to management of personal data. Completed 4 Absence of alerts to alert sender when email contains sensitive information Set alerts in Office 365 to alert sender whenever there is sensitive information like NRIC Number in an email body. Target completion date: 2 February 2021 ",1007 44,05e8471be9b48bea5cbc650592f21c7b61ec417e,11,Thye Hua Kwan Moral Charities Limited,https://www.pdpc.gov.sg/undertakings/undertaking-by-thye-hua-kwan-moral-charities-limited,2021-07-12,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 April 2020 from Thye Hua Kwan Moral Charities Limited (“THKMC”), after THKMC discovered that its website was hacked. Investigations revealed that malicious actors had gained access to the web content management system, by altering a web configuration file which had been left in a public directory without protection for the usage of the file. The employee tasked with the administration of the website lacked the requisite technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of 550 volunteers was at risk of unauthorised access. However, investigation by THKMC found no evidence of data loss or access by third party visitors. The types of personal data which were at risk included the volunteers’ names, residential telephone numbers, mobile numbers, email addresses, residential addresses, dates of birth, volunteering experiences, and interests. Remedial Actions After the incident, as part of the remediation plan, THKMC: (a) engaged a professional web development vendor to re-build its website to conform with established web security standards and the Open Web Application Security Project (OWASP) guidelines; (b) took preventive measures to harden the website by subscribing to cyber security threat monitoring software and updating the Firewall IP tables with the blacklisted IPs of past attackers; (c) discontinued the storage of personal data on its new website. The volunteer sign-up page and database were outsourced to a third -party cloud-based volunteer management portal which has a set of security controls to protect the personal data that it collects; (d) migrated internal report submission services from the THKMC internet website to THKMC intranet staff portal, which is a more secured environment; (e) assigned control of website administration (previously administered by its Corporate Communications Department) and operations hosted by Amazon Web Services to its IT Department; (f) implemented mandatory annual cyber security training and online quiz for all THKMC staff. Staff from the IT department are also required to attend relevant training courses to upgrade their knowledge and competency in cyber security; (g) implemented periodic unannounced phishing exercises to test the alertness of staff to cyber threats; (h) made enhancements to its end point protection and email security; and (i) developed a cyber security policy and an incident response and crisis management policy. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by THKMC to improve its personal data protection practices, the Commission accepted an undertaking from THKMC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”).  The Undertaking provided that THKMC was to complete the implementation of its remediation plan. THKMC has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that THKMC has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-thye-hua-kwan-moral-charities-5-april-2022.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Thye Hua Kwan Moral Charities Limited UEN: 201130733N Registered Address: 1 North Bridge Road, #03-33, High Street Centre, Singapore 179094 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 27 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 6 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in Page 2 of 6 clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Thye Hua Kwan Moral Charities Limited. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Thye Hua Kwan Moral Charities Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) Page 3 of 6 By the following: ) Yeong Zee Kin Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Status Date of Completion (Month-Year) Completed Apr-20 The new THKMC webserver does not store any personal data. The volunteer sign-up page and database were discontinued on the new website as the service would be outsourced to a third-party cloud-based volunteer management portal which has a set of security controls application to protect the data that it collects. Completed Jun-20 Preventive measures were taken to harden the website by subscribing to cyber security threat monitoring software and update the AWS Firewall IP tables with the blacklisted IPs of past attackers. Completed Jun-20 To migrate internal report submission services from the THKMC internet website to THKMC intranet staff portal, a more secured environment. In progress Apr-21 Tighten System Admin Processes Completed Apr-20 Completed May-20 Item Strengthen System Security A professional web development vendor was engaged to re-build the website to adhere to the Open Web Application Security Project (OWASP) guidelines. The new website conforms to established web security standards and guidelines according to OWASP. IT Dept has taken control of the website administrations and operations hosted by Amazon Web Services (AWS) from Web Content Management Team (CCD). Limited the number of Administrator Account for WordPress to two to minimise risk, one of which is held by the IT Team. All other users are given limited access rights. A matrix User Roles and Responsibilities for WordPress usage was created and managed by the IT Team. Page 5 of 6 Develop Cyber Security Awareness & Competency Completed On-going Ensure IT staff attend relevant training course to upgrade their knowledge and competency in cyber security. In progress Mar-21 Conduct periodic unannounced phishing exercises to test the alertness of our staff to cyber threats. In progress Jan-21 Strengthen Cyber Defence In progress Nov-20 Email Security deployment Completed Oct-20 Development of Cyber Security Policy In progress Mar-21 Incident Response and Crisis Management Policy In progress Mar-21 To make it mandatory for all staff to complete the cyber security training and passed the online quiz annually. The requirement should be recorded as an annual training target of the individual staff performance appraisal. End Point Protection Enhancements Page 6 of 6 ",1007 8,b55ba72d2a364811c6297c1e03ad7960b709634c,8,Seafront Support Company Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Seafront-Support-Company-Pte-Ltd,2021-06-10,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details.  It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices. Remedial Actions After the incident, as part of a remediation plan, Seafront Support: (a) engaged an external IT consultant to manage its IT system;  (b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system; (c) developed and implemented an IT security policy; (d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and (e) instructed staff to back-up their files daily on separate cloud-based storage. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”).  The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading its firewall to strengthen protection of its IT system. Seafront Support has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Seafront Support has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Seafront.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Seafront Support Company Pte. Ltd. UEN: 201106511C Registered Address: 102E, Pasir Panjang Road, #02-08, Citilink Warehouse Complex, Singapore 118529 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 25 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to Page 2 of 6 suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Seafront Support Company Pte. Ltd.. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 6 SIGNED, for and on behalf of ) Seafront Support Company Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Yeong Zee Kin Name: ____________________________ ) Designation: for Commissioner for Personal Data Protection ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Causes of Incident Remediation Plan 1 QNAP NAS VPN services left Discontinue business turned on by the previous IT relationship with the previous consultant. One of the many IT consultant. possible causes that the NAS had been hacked might be due to the assignment of VPN access during the Circuit Breaker. Target Completion Completed 2 No dedicated IT department or consultant to monitor and manage IT system. To engage the services of the external IT management to manage Seafront Support Company’s entire IT system. Completed 3 Improvement of IT system. To audit IT system and implement recommendations to harden IT system: Completed i. Antivirus management (ESET Endpoint Antivirus) and monitoring programs to be installed in all workstations. ii. To adopt M365 to work and share files. iii. Secure all user access levels, tighten all workstation/server weak points and secure network services. The NAS access from the outside had been removed. Also the WIFI is on WPA2 protocol which is less vulnerable to be hacked from outside. iv. Switch email system to Microsoft 365 Exchange Online for better security. Page 5 of 6 v. Procure 7 new workstations to support the above implementations. vi. To upgrade firewall to Fortigate UTM - Package (FG-60E) (PSG’s granted approved). Target completion by 31/11/2020 4 QNAP device’s patches not updated regularly Develop and implement an IT security policy or guideline. Completed 5 Staff not well-informed of safe IT practices (they might have click on malicious links from email or website) Conduct meetings with staff to inform and remind them the seriousness of the incident, the safe IT practices, and prevention. Completed Send periodic email reminders to staff on safe IT practices. Completed 6 Back-up drive stored in same server Instructed employees to back up Completed their files daily on their One drive. Page 6 of 6 ",1002 9,f4d8851e5210f2a6535f23d99232477d195be170,9,Platinum Yoga Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Platinum-Yoga-Pte-Ltd,2021-06-10,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 29 October 2020 from Platinum Yoga Pte. Ltd. (“Platinum Yoga”), informing of a suspected alleged act of mischief by a terminated employee of Platinum Yoga, who gained unauthorised access to its Customer Relationship Management (“CRM”) system and Facebook account. The CRM system held the email addresses and photographs of Platinum Yoga’s members. Consequently, photographs of 25 individuals were disclosed in an unauthorised Facebook post, and the email addresses of 58 individuals were disclosed in an email impersonating Platinum Yoga. It was established that Platinum Yoga had 1) lacked access restriction to the accounts it had which included the CRM system and its Facebook account; 2) lacked dedicated personnel to ensure and enforce password changes to the CRM system and Facebook account periodically or whenever necessary, among its employees; and 3) not developed a data protection policy internally. Remedial Actions After the incident, as part of a remediation plan, Platinum Yoga: (a) Implemented access restrictions to the CRM system and other accounts, including access to the CRM system on a need-to-know basis, and 2 Factor Authentication to accounts possible; (b) Ensured that personal data can only be viewed or accessed from its property only; (c) Appointed dedicated team to monitor and ensure password change to the CRM system and other accounts periodically, and whenever necessary, among its employees; (d) Implemented periodic reminders to members on changing of passwords; (e) Implemented quarterly review of its internal data protection policy. Undertaking  Having considered the circumstances of the case, including the remediation actions taken by Platinum Yoga to improve its personal data protection practices, the Commission accepted an undertaking from Platinum Yoga to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2021 (the “Undertaking”).  The Undertaking provided that Platinum Yoga was to complete the implementation of the its remediation plan, by developing an internal data protection policy. Platinum Yoga has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Platinum Yoga has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Platinum-Yoga-Pte-Ltd.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Platinum Yoga Pte. Ltd. UEN: 201109593N Registered Address: 1 Marine Parade Central, #13-09 Parkway Centre, Singapore 449408 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated <14 January 2021> from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 5 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 5 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Platinum Yoga Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Platinum Yoga Pte Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) Page 3 of 5 By the following: ) Yeong Zee Kin Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A Causes of Incident 1 Lack of access restriction and additional layer of security to CRM system and other accounts Remediation Plan i. Sales staff are issued with tablet and SIM card to ensure that personal data can only be viewed or accessed via Organisation’s property only ii. Set up of IP address restriction so CRM can only be accessed in the premises of the Organisation. iii. Further restrict access to CRM system on a need-to-know basis. iv. Set up of 2 Factor Authorisation (2FA) to all other accounts possible Target Completion Completed Page 4 of 5 2 3 Lack of personnel to enforce password change Lack of internal data protection policies i. HR Team to monitor and ensure that employee change their passwords to the CRM system on the 1st of each month. ii. Passwords for all online accounts are to be change every month or when an employee left the Organisation, whichever earlier. iii. Organisation will also be sending out reminders to members once every 3 months to change passwords through newsletter, application notification and posters To develop internal data protection policies that include but not limited to: - The Do’s and Don’ts - Data Protection Plan - Action Plan To carry out review and update of internal data protection policies every 3 months. On-going Target completion by 11 April 2021 On-going Page 5 of 5 ",1002 41,87be17ab9bc6c887b86b954abe0daa9f74c7642c,8,Seafront Support Company Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-seafront-support-company-pte-ltd,2021-06-10,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details.  It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices. Remedial Actions After the incident, as part of a remediation plan, Seafront Support: (a) engaged an external IT consultant to manage its IT system;  (b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system; (c) developed and implemented an IT security policy; (d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and (e) instructed staff to back-up their files daily on separate cloud-based storage. Undertaking  Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”).  The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading its firewall to strengthen protection of its IT system. Seafront Support has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Seafront Support has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---seafront.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Seafront Support Company Pte. Ltd. UEN: 201106511C Registered Address: 102E, Pasir Panjang Road, #02-08, Citilink Warehouse Complex, Singapore 118529 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 25 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to Page 2 of 6 suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Seafront Support Company Pte. Ltd.. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 6 SIGNED, for and on behalf of ) Seafront Support Company Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Yeong Zee Kin Name: ____________________________ ) Designation: for Commissioner for Personal Data Protection ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Causes of Incident Remediation Plan 1 QNAP NAS VPN services left Discontinue business turned on by the previous IT relationship with the previous consultant. One of the many IT consultant. possible causes that the NAS had been hacked might be due to the assignment of VPN access during the Circuit Breaker. Target Completion Completed 2 No dedicated IT department or consultant to monitor and manage IT system. To engage the services of the external IT management to manage Seafront Support Company’s entire IT system. Completed 3 Improvement of IT system. To audit IT system and implement recommendations to harden IT system: Completed i. Antivirus management (ESET Endpoint Antivirus) and monitoring programs to be installed in all workstations. ii. To adopt M365 to work and share files. iii. Secure all user access levels, tighten all workstation/server weak points and secure network services. The NAS access from the outside had been removed. Also the WIFI is on WPA2 protocol which is less vulnerable to be hacked from outside. iv. Switch email system to Microsoft 365 Exchange Online for better security. Page 5 of 6 v. Procure 7 new workstations to support the above implementations. vi. To upgrade firewall to Fortigate UTM - Package (FG-60E) (PSG’s granted approved). Target completion by 31/11/2020 4 QNAP device’s patches not updated regularly Develop and implement an IT security policy or guideline. Completed 5 Staff not well-informed of safe IT practices (they might have click on malicious links from email or website) Conduct meetings with staff to inform and remind them the seriousness of the incident, the safe IT practices, and prevention. Completed Send periodic email reminders to staff on safe IT practices. Completed 6 Back-up drive stored in same server Instructed employees to back up Completed their files daily on their One drive. Page 6 of 6 ",1007 42,884c78105a553c05cac73ad837593b3fdf980541,9,Platinum Yoga Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-platinum-yoga-pte-ltd,2021-06-10,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 29 October 2020 from Platinum Yoga Pte. Ltd. (“Platinum Yoga”), informing of a suspected alleged act of mischief by a terminated employee of Platinum Yoga, who gained unauthorised access to its Customer Relationship Management (“CRM”) system and Facebook account. The CRM system held the email addresses and photographs of Platinum Yoga’s members. Consequently, photographs of 25 individuals were disclosed in an unauthorised Facebook post, and the email addresses of 58 individuals were disclosed in an email impersonating Platinum Yoga. It was established that Platinum Yoga had 1) lacked access restriction to the accounts it had which included the CRM system and its Facebook account; 2) lacked dedicated personnel to ensure and enforce password changes to the CRM system and Facebook account periodically or whenever necessary, among its employees; and 3) not developed a data protection policy internally. Remedial Actions After the incident, as part of a remediation plan, Platinum Yoga: (a) Implemented access restrictions to the CRM system and other accounts, including access to the CRM system on a need-to-know basis, and 2 Factor Authentication to accounts possible; (b) Ensured that personal data can only be viewed or accessed from its property only; (c) Appointed dedicated team to monitor and ensure password change to the CRM system and other accounts periodically, and whenever necessary, among its employees; (d) Implemented periodic reminders to members on changing of passwords; (e) Implemented quarterly review of its internal data protection policy. Undertaking  Having considered the circumstances of the case, including the remediation actions taken by Platinum Yoga to improve its personal data protection practices, the Commission accepted an undertaking from Platinum Yoga to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2021 (the “Undertaking”).  The Undertaking provided that Platinum Yoga was to complete the implementation of the its remediation plan, by developing an internal data protection policy. Platinum Yoga has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Platinum Yoga has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---platinum-yoga-pte-ltd.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Platinum Yoga Pte. Ltd. UEN: 201109593N Registered Address: 1 Marine Parade Central, #13-09 Parkway Centre, Singapore 449408 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated <14 January 2021> from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 5 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 5 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Platinum Yoga Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Platinum Yoga Pte Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) Page 3 of 5 By the following: ) Yeong Zee Kin Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A Causes of Incident 1 Lack of access restriction and additional layer of security to CRM system and other accounts Remediation Plan i. Sales staff are issued with tablet and SIM card to ensure that personal data can only be viewed or accessed via Organisation’s property only ii. Set up of IP address restriction so CRM can only be accessed in the premises of the Organisation. iii. Further restrict access to CRM system on a need-to-know basis. iv. Set up of 2 Factor Authorisation (2FA) to all other accounts possible Target Completion Completed Page 4 of 5 2 3 Lack of personnel to enforce password change Lack of internal data protection policies i. HR Team to monitor and ensure that employee change their passwords to the CRM system on the 1st of each month. ii. Passwords for all online accounts are to be change every month or when an employee left the Organisation, whichever earlier. iii. Organisation will also be sending out reminders to members once every 3 months to change passwords through newsletter, application notification and posters To develop internal data protection policies that include but not limited to: - The Do’s and Don’ts - Data Protection Plan - Action Plan To carry out review and update of internal data protection policies every 3 months. On-going Target completion by 11 April 2021 On-going Page 5 of 5 ",1007 7,dadb6a547ccf8a5d54e7e5795704abcf40d731cd,7,DLI Asia Pacific Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-DLI-Asia-Pacific-Pte-Ltd,2021-05-12,"Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 18 June 2020 from DLI Asia Pacific Pte Ltd (“DLIAP”), informing that a ransomware attack had infected one of its file servers (“the File Server”), affecting the personal data of approximately 848 individuals. The affected datasets comprised the affected individuals’ names, addresses, contact numbers, dates of birth, marital status, insurance policy details, insurance premiums, passport copies, education background, employment details and/or salary information. It was established that DLIAP had not implemented adequate security measures to protect the personal data in the File Server at the time of the incident. In particular, there were insufficient controls to regulate access to the File Server via a virtual private network (“VPN”). The server hosting the VPN had not been patched, and the same credentials were used to access both the File Server and the VPN .   Remedial Actions After the incident, as part of a remediation plan, DLIAP : (a) Implemented multi-factor authentication to strengthen VPN login;  (b) Implemented different user accounts for VPN and File Server access; (c) Implemented a virtual desktop for its IT vendor with activity monitoring; (d) Engaged a security consultant to review its current IT infrastructure and propose enhancements;  (e) Implemented additional security monitoring by a different IT vendor; (f) Improved patch update & management processes; (g) Established thorough file management rules for cloud storage of data; (h) Implemented email rules including password rules for attachments; and (i) Implemented compliance training for DLIAP’s employees; Undertaking The Commission recognises that DLIAP has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from DLIAP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 22 December 2020 (the “Undertaking”).  The Undertaking provided that DLIAP was to complete implementation of its remediation plan by reviewing its internal policies relating to the handling of personal information. DLIAP has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that DLIAP has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---DLI-Asia-Pacific-Pte-Ltd.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: DLI Asia Pacific Pte Ltd UEN: 201431235K Registered Address: 12 Marina view #24-03/04 Asia Square Tower 2 S(018961) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 1 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any 2 particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and DLI Asia Pacific Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) DLI Asia Pacific Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: _____________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) 3 SCHEDULE A Item Implement Multi-Factor Authentication to Strengthen VPN Login Status Date of Completion (MonthYear) In Progress Dec-20 Completed May-20 In Progress Jan-21 In progress Jan-21 In Progress Dec-20 Multi-factor Authentication (MFA) will be implemented to further strengthen VPN login. Remote VPN access will be authenticated with an additional factor on top of the current 2FA controls already in place. Implement Different User Accounts for VPN and Server Access Setup different User Id or Account for VPN & Server Access to further strengthen login controls, preventing use of same ID & Password to access both the VPN and Server Systems. Implement Virtual Desktop for IT Vendor with Activity Monitoring Virtual desktop will be implemented for IT Vendor Access & Monitoring to further strengthen vendor support access controls. IT Vendors are only allowed access to System using Virtual Desktop to better secure access, and such access is monitored. Engage Security Consultant to Review Current Setup Conduct survey and review requirements of current IT Infrastructure & Systems setup to further enhance protection against cyber-attacks. Implement Additional Security Monitoring Review requirements of additional security monitoring by another security company in addition to the current IT vendor to have a “Check & Balance” mechanism to ensure that the current IT vendor 4 carries out its obligations to implement any security patches for the following systems: • Firewall • VPN Server • Domain Controller Patch Update & Management Improvement Completed Oct-20 Completed May-20 Completed Aug-2020 Review current Patch Update & Management and request IT vendor to improve its processes to ensure timely updates for system patches, specifically where there are high priority and critical patches which are published Remedial Actions Taken in Response to the Incident The following are the remedial actions which had been put in place in response to the incident: 1) Change all passwords for all users and administrators 2) Re-format all suspected laptops that potentially could have been compromised as advised by the Forensic company. Total 34 laptops re-formatted. 3) Closed communication to Dark Web on the Firewall. 4) Turned off the compromised VPN server once we confirmed that it had been compromised. 5) Check & confirm the version of the second VPN server to make sure that it is updated to the latest version. 6) Conduct a scan on all servers and laptops deployed to ensure that there are no traces of the ransomware files, or malware. 7) Stop the use of the shared folder/files in the File Server by all users, and to migrate all shared folders for better controls. Fundamental Reform of File Management Establish thorough file management rules in the cloud: 5 1) Thorough implementation of customer information handling and reporting rules 2) Remove unnecessary personal information promptly 3) Passwords implemented to secure & protect all files that has personal information in limited access folder 4) Store all files with personal information in limited access folder Implementing Email Rules (Internal & External) In Progress Jul-2020 Completed Jun-2020 1) Checking of receiver address, passwords, contents of Emails and files 2) Password rules for attachments 3) Strengthening of password rules Others Jul-2020 Implement compliance trainings Aug-2020 Review of internal policies relating to handling of personal information to align with PDPA amendments 6 In progress Mar-2021 ",1002 40,19a476d7bd00a450dd582bc4285e5f19e050d1f9,7,DLI Asia Pacific Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-dli-asia-pacific-pte-ltd,2021-05-12,"Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 18 June 2020 from DLI Asia Pacific Pte Ltd (“DLIAP”), informing that a ransomware attack had infected one of its file servers (“the File Server”), affecting the personal data of approximately 848 individuals. The affected datasets comprised the affected individuals’ names, addresses, contact numbers, dates of birth, marital status, insurance policy details, insurance premiums, passport copies, education background, employment details and/or salary information. It was established that DLIAP had not implemented adequate security measures to protect the personal data in the File Server at the time of the incident. In particular, there were insufficient controls to regulate access to the File Server via a virtual private network (“VPN”). The server hosting the VPN had not been patched, and the same credentials were used to access both the File Server and the VPN .   Remedial Actions After the incident, as part of a remediation plan, DLIAP : (a) Implemented multi-factor authentication to strengthen VPN login;  (b) Implemented different user accounts for VPN and File Server access; (c) Implemented a virtual desktop for its IT vendor with activity monitoring; (d) Engaged a security consultant to review its current IT infrastructure and propose enhancements;  (e) Implemented additional security monitoring by a different IT vendor; (f) Improved patch update & management processes; (g) Established thorough file management rules for cloud storage of data; (h) Implemented email rules including password rules for attachments; and (i) Implemented compliance training for DLIAP’s employees; Undertaking The Commission recognises that DLIAP has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from DLIAP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 22 December 2020 (the “Undertaking”).  The Undertaking provided that DLIAP was to complete implementation of its remediation plan by reviewing its internal policies relating to the handling of personal information. DLIAP has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that DLIAP has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---dli-asia-pacific-pte-ltd.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: DLI Asia Pacific Pte Ltd UEN: 201431235K Registered Address: 12 Marina view #24-03/04 Asia Square Tower 2 S(018961) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 1 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any 2 particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and DLI Asia Pacific Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) DLI Asia Pacific Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: _____________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) 3 SCHEDULE A Item Implement Multi-Factor Authentication to Strengthen VPN Login Status Date of Completion (MonthYear) In Progress Dec-20 Completed May-20 In Progress Jan-21 In progress Jan-21 In Progress Dec-20 Multi-factor Authentication (MFA) will be implemented to further strengthen VPN login. Remote VPN access will be authenticated with an additional factor on top of the current 2FA controls already in place. Implement Different User Accounts for VPN and Server Access Setup different User Id or Account for VPN & Server Access to further strengthen login controls, preventing use of same ID & Password to access both the VPN and Server Systems. Implement Virtual Desktop for IT Vendor with Activity Monitoring Virtual desktop will be implemented for IT Vendor Access & Monitoring to further strengthen vendor support access controls. IT Vendors are only allowed access to System using Virtual Desktop to better secure access, and such access is monitored. Engage Security Consultant to Review Current Setup Conduct survey and review requirements of current IT Infrastructure & Systems setup to further enhance protection against cyber-attacks. Implement Additional Security Monitoring Review requirements of additional security monitoring by another security company in addition to the current IT vendor to have a “Check & Balance” mechanism to ensure that the current IT vendor 4 carries out its obligations to implement any security patches for the following systems: • Firewall • VPN Server • Domain Controller Patch Update & Management Improvement Completed Oct-20 Completed May-20 Completed Aug-2020 Review current Patch Update & Management and request IT vendor to improve its processes to ensure timely updates for system patches, specifically where there are high priority and critical patches which are published Remedial Actions Taken in Response to the Incident The following are the remedial actions which had been put in place in response to the incident: 1) Change all passwords for all users and administrators 2) Re-format all suspected laptops that potentially could have been compromised as advised by the Forensic company. Total 34 laptops re-formatted. 3) Closed communication to Dark Web on the Firewall. 4) Turned off the compromised VPN server once we confirmed that it had been compromised. 5) Check & confirm the version of the second VPN server to make sure that it is updated to the latest version. 6) Conduct a scan on all servers and laptops deployed to ensure that there are no traces of the ransomware files, or malware. 7) Stop the use of the shared folder/files in the File Server by all users, and to migrate all shared folders for better controls. Fundamental Reform of File Management Establish thorough file management rules in the cloud: 5 1) Thorough implementation of customer information handling and reporting rules 2) Remove unnecessary personal information promptly 3) Passwords implemented to secure & protect all files that has personal information in limited access folder 4) Store all files with personal information in limited access folder Implementing Email Rules (Internal & External) In Progress Jul-2020 Completed Jun-2020 1) Checking of receiver address, passwords, contents of Emails and files 2) Password rules for attachments 3) Strengthening of password rules Others Jul-2020 Implement compliance trainings Aug-2020 Review of internal policies relating to handling of personal information to align with PDPA amendments 6 In progress Mar-2021 ",1007 6,30d986a796cbef1bc88e629159ce75844c423851,6,Manulife (Singapore) Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Manulife-Singapore-Pte-Ltd,2021-04-15,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 March 2020 from Manulife (Singapore) Pte Ltd (“MLS”), informing that a representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020. The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios. It was found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars and quarterly bulletins.  Remedial Actions After the incident, MLS notified all affected individuals of the incident and monitored their insurance policies for unusual requests and/or transactions for a period of six months. A refresher training on privacy and data security was also conducted for MLS representatives.   Undertaking  The Commission considered the circumstances of the case and accepted an undertaking from MLS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 January 2021 (the “Undertaking”).  The Undertaking provides that MLS was to:  (a) take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A of the Undertaking; and  (b) provide a status report to the Commission at a time requested by the Commission confirming whether MLS has fulfilled each of the specific measures set out in the implementation plan. MLS has since provided the Commission with the status report referred to at paragraph 5(b) above. The Commission has reviewed the matter and determined that MLS has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Manulife-Singapore.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Manulife (Singapore) Pte Ltd UEN: 198002116D Registered Address: 8 Cross Street, #15-01, Manulife Tower, Singapore 048424 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 4 January 2021 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has several enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 6 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. Page 2 of 6 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case and is made based on the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Manulife (Singapore) Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Manulife (Singapore) Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 6 ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Causes of Incident 1 Consistent and up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media (“RSM”) were not always conveyed to its financial representatives via the onboarding training, the annual refresher training, the new agent onboarding handbook, as well as the quarterly bulletins circulated by the Organisation’s Regulatory Compliance Department. Target Completion The training deck by the Completed Organisation’s Information Risk Management (“IRM”) team is to be aligned with the basic requirements/guidelines prescribed in Life Insurance Association (“LIA”) Data Loss Protection Guidelines for Insurance Agents. Remediation Plan Based on the revised training materials provided by IRM, the Distribution Services and Compliance team will: Target completion by 19 February 2021 a. Issue a circular to communicate the basic requirements of using and disposing personal devices (including RSM) for business purposes. b. Incorporate the basic requirements/guidelines into the Agency Market Conduct Guidelines which will be the key reference document for the financial representatives on the expected practices and consequences of noncompliance. The Organisation’s Compliance team will revisit and update the corresponding training materials based on the market conduct guidelines and agent’s circular. Target completion by 19 February 2021 Page 5 of 6 Causes of Incident 2 Annual confirmation from its financial representatives were not obtained in 2019 to confirm their adherence to the LIA Singapore Data Loss Protection Guidelines for Insurance Agents. According to the LIA Data Loss Protection Guidelines for Insurance Agents (effective from March 1, 2019) issued in September 2018, life insurers are required to obtain from their agents a signed annual self-declaration that he/she has complied with LIA Data Loss Protection Guidelines for Insurance Agents. Target Completion The attestation has been Completed included in the 2020 annual fit and proper declaration questionnaire and will continue to remain as part of the future annual fit and proper declaration questionnaire unless there are any regulatory changes. Remediation Plan The Organisation’s Regulatory Compliance team is involved in reviewing the questionnaire before MLS Distribution Services team triggers the annual fit and proper declaration exercise to MLS financial representatives. Page 6 of 6 ",1002 39,a82a813014c7fa22af71ffec947b05696f684c38,6,Manulife (Singapore) Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-manulife-singapore-pte-ltd,2021-04-15,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 March 2020 from Manulife (Singapore) Pte Ltd (“MLS”), informing that a representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020. The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios. It was found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars and quarterly bulletins.  Remedial Actions After the incident, MLS notified all affected individuals of the incident and monitored their insurance policies for unusual requests and/or transactions for a period of six months. A refresher training on privacy and data security was also conducted for MLS representatives.   Undertaking  The Commission considered the circumstances of the case and accepted an undertaking from MLS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 January 2021 (the “Undertaking”).  The Undertaking provides that MLS was to:  (a) take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A of the Undertaking; and  (b) provide a status report to the Commission at a time requested by the Commission confirming whether MLS has fulfilled each of the specific measures set out in the implementation plan. MLS has since provided the Commission with the status report referred to at paragraph 5(b) above. The Commission has reviewed the matter and determined that MLS has complied with the terms of the Undertaking.  Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---manulife-singapore.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Manulife (Singapore) Pte Ltd UEN: 198002116D Registered Address: 8 Cross Street, #15-01, Manulife Tower, Singapore 048424 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 4 January 2021 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has several enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 6 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. Page 2 of 6 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case and is made based on the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Manulife (Singapore) Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Manulife (Singapore) Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 6 ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Causes of Incident 1 Consistent and up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media (“RSM”) were not always conveyed to its financial representatives via the onboarding training, the annual refresher training, the new agent onboarding handbook, as well as the quarterly bulletins circulated by the Organisation’s Regulatory Compliance Department. Target Completion The training deck by the Completed Organisation’s Information Risk Management (“IRM”) team is to be aligned with the basic requirements/guidelines prescribed in Life Insurance Association (“LIA”) Data Loss Protection Guidelines for Insurance Agents. Remediation Plan Based on the revised training materials provided by IRM, the Distribution Services and Compliance team will: Target completion by 19 February 2021 a. Issue a circular to communicate the basic requirements of using and disposing personal devices (including RSM) for business purposes. b. Incorporate the basic requirements/guidelines into the Agency Market Conduct Guidelines which will be the key reference document for the financial representatives on the expected practices and consequences of noncompliance. The Organisation’s Compliance team will revisit and update the corresponding training materials based on the market conduct guidelines and agent’s circular. Target completion by 19 February 2021 Page 5 of 6 Causes of Incident 2 Annual confirmation from its financial representatives were not obtained in 2019 to confirm their adherence to the LIA Singapore Data Loss Protection Guidelines for Insurance Agents. According to the LIA Data Loss Protection Guidelines for Insurance Agents (effective from March 1, 2019) issued in September 2018, life insurers are required to obtain from their agents a signed annual self-declaration that he/she has complied with LIA Data Loss Protection Guidelines for Insurance Agents. Target Completion The attestation has been Completed included in the 2020 annual fit and proper declaration questionnaire and will continue to remain as part of the future annual fit and proper declaration questionnaire unless there are any regulatory changes. Remediation Plan The Organisation’s Regulatory Compliance team is involved in reviewing the questionnaire before MLS Distribution Services team triggers the annual fit and proper declaration exercise to MLS financial representatives. Page 6 of 6 ",1007 5,7fff9707a7ac5ea1ba96fd1c505bffca8bf48690,5,StarMed Specialist Centre Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-StarMed-Specialist-Centre-Pte-Ltd,2021-02-18,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data. It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords. Remedial Actions After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant. Undertaking  The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”). The Undertaking provides that StarMed was to: (a) review password policies relating to StarMed’s servers and IT equipment storing personal data; (b) review process of login authentication on StarMed’s servers and IT equipment storing personal data; (c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts; (d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (f) provide a status report to the Commission at a time requested by the Commission confirming whether StarMed has fulfilled each of the specific measures set out in the implementation plan. StarMed has since provided the Commission with the status report referred to at para 5(f) above. The Commission has reviewed the matter and determined that StarMed has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---StarMed.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: StarMed Specialist Centre Pte Ltd UEN: 201629251M Registered Address: 7 Temasek Boulevard #12-10 Suntec Tower One Singapore 038987 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated [Date] from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes to take all necessary steps to implement and give effect to the conditions set out below within any stipulated time frames: 3.2 (a) Review password policies relating to the Organisation’s servers and IT equipment storing personal data i.e. password strength. (b) Review the process of login authentication on the Organisation’s servers and IT equipment storing personal data i.e. access rights. (c) Review need for an alert system in the event of multiple failed account login attempts to the Organisation’s server and IT equipment storing personal data, including logging such attempts. (d) Provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed remediation schedule to fulfil clause 3.1. The proposed remediation schedule shall state specific measures that the Organisation has taken and/or proposes to take to fulfil clause 3.1, as well as the time frame (the “Time Frame”) within which the Organisation expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall Time Frame within which the Organisations proposes to complete all of the specific measures shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. (e) Provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission confirming that the Organisation has fulfilled clause 3.1. The status report should provide details as to when and how each of the specific measure was completed. In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the specific measures as set out in clause 3.1, including 2 (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to take all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and StarMed Specialist Centre Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of 3 each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) StarMed Specialist Centre Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) 4 ",1002 38,94be3d018896777a94dfbb64e77db56ac8cb0b1f,5,StarMed Specialist Centre Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-starmed-specialist-centre-pte-ltd,2021-02-18,"Background  The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data. It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords. Remedial Actions After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant. Undertaking  The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”). The Undertaking provides that StarMed was to: (a) review password policies relating to StarMed’s servers and IT equipment storing personal data; (b) review process of login authentication on StarMed’s servers and IT equipment storing personal data; (c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts; (d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (f) provide a status report to the Commission at a time requested by the Commission confirming whether StarMed has fulfilled each of the specific measures set out in the implementation plan. StarMed has since provided the Commission with the status report referred to at para 5(f) above. The Commission has reviewed the matter and determined that StarMed has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---starmed.pdf,"VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: StarMed Specialist Centre Pte Ltd UEN: 201629251M Registered Address: 7 Temasek Boulevard #12-10 Suntec Tower One Singapore 038987 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated [Date] from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes to take all necessary steps to implement and give effect to the conditions set out below within any stipulated time frames: 3.2 (a) Review password policies relating to the Organisation’s servers and IT equipment storing personal data i.e. password strength. (b) Review the process of login authentication on the Organisation’s servers and IT equipment storing personal data i.e. access rights. (c) Review need for an alert system in the event of multiple failed account login attempts to the Organisation’s server and IT equipment storing personal data, including logging such attempts. (d) Provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed remediation schedule to fulfil clause 3.1. The proposed remediation schedule shall state specific measures that the Organisation has taken and/or proposes to take to fulfil clause 3.1, as well as the time frame (the “Time Frame”) within which the Organisation expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall Time Frame within which the Organisations proposes to complete all of the specific measures shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. (e) Provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission confirming that the Organisation has fulfilled clause 3.1. The status report should provide details as to when and how each of the specific measure was completed. In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the specific measures as set out in clause 3.1, including 2 (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to take all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and StarMed Specialist Centre Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of 3 each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) StarMed Specialist Centre Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) 4 ",1007 4,fd15ac0c88507638e0f0e483f93c110aab57a8de,4,NEC Asia Pacific Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-NEC-Asia-Pacific-Pte-Ltd,2021-01-14,"Background  On 28 August 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from JK TruData Solutions Pte Ltd (“JK TruData”) regarding a print job request via email (the “Email”) that it had received from NEC Asia Pacific Pte Ltd (“NEC”). The Email enclosed personal data that had been received by NEC from the common end customer (“Customer”) of both NEC and JK TruData (the “Incident”). JK TruData informed the Commission that it was not the intended recipient of the Email.  The Commission’s investigations showed that NEC employed a two-step process when sending relevant data to appointed printing vendors: (a) first, NEC would send the relevant data to the printing agent via an automated email function; (b) thereafter, NEC would follow up manually with an email to confirm the receipt of the automated email; NEC’s SOP required the staff doing this to check that the recipient was correct before sending the email, and for all confidential data to be encrypted. In this Incident, a mistake was made at the second step – an NEC employee sent the follow-up email (with the same content and attachment contained in the automated email without any encryption) to JK TruData instead of the correct printing agent.  Although the Commission’s investigation findings suggested that NEC had not fully complied with its obligations under the PDPA, the Commission recognised that there was limited impact from the disclosure. The Commission found that disclosure of personal data had been limited to two authorised printing vendors of the Customer, one of which was JK TruData themselves, who were already bound in contract to the Customer to keep such information confidential. JK TruData also was already familiar with the types of personal data contained within the attachment and there was no further disclosure by NEC beyond JK TruData. The Deputy Commissioner also recognised that the incident did not arise as a result of the lack of controls but that the controls put in place by NEC were not sufficiently robust. In addition, NEC had made efforts to address the concerns raised in this case and to improve the personal data protection practice.  Undertaking  The Commission considered the circumstances of the case and accepted an undertaking from NEC to improve its compliance with the PDPA (the “Undertaking”). In particular, the Commission noted that there was limited impact from the disclosure as JK TruData was contractually obliged to keep confidential any personal data received. The Incident was also an isolated incident caused by human error and not a systemic problem. The Undertaking provided that NEC was to:  (a) engage an external consultant to review its confirmation process to prevent future recurrence of the issue. In particular, to further consider automating the email sending process;  (b) enhance the PDPA training for its staff handling personal data;  (c) implement adequate safeguards are taken for transmission of personal data to third parties;  (d) propose an implementation plan for fulfilling the above; and  (e) provide a status report to the Commission at a time requested by the Commission confirming whether NEC has fulfilled each of the specific measures set out in the implementation plan.  NEC has since provided the Commission with the implementation plan and status report referred to at para 5(d) & (e) above. The Commission has reviewed the matter and determined that NEC has complied with the terms of the Undertaking.  Please click here to view the Undertaking.    ",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---NEC.pdf,"APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: NEC Asia Pacific Pte Ltd UEN: 197700754G Registered Address: 80 Bendemeer Road #05-01/02, Hyflux Innovation Centre Singapore 339949 By signing this Undertaking, NEC Asia Pacific Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commission’s Letter” means the letter dated 4 April 2018 from the Commission to NEC Asia Pacific Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (c) “Data Protection Provisions” means Parts III to VI of the PDPA. (d) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (e) “Time Frame” has the meaning given to it in paragraph 3.2. (f) “NEC” means NEC Asia Pacific Pte Ltd. 2. ACKNOWLEDGEMENTS 2.1. NEC hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of NEC, which allegedly infringe one or more provisions of the Data Protection Provisions. (b) The detailed facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to NEC. (c) NEC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) The Commission’s investigation findings suggest that NEC has not fully complied with its obligations under the PDPA. (e) As a result of the alleged non-compliance with the PDPA, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under Section 29 of the PDPA. (f) The Deputy Commissioner recognises that the disclosure of data was limited to two authorised printing vendors who were bound by contract to keep such data confidential and were already familiar with the types of personal data contained within the attachment and there was no further disclosure beyond JK TruData. The Deputy Commissioner also recognises that the incident did not arise as a result of the lack of controls but that the controls were not sufficiently robust. In addition, NEC has made efforts to address the concerns raised in this case and to improve its personal data protection practices. (g) The Commission, having carefully considered all the relevant facts and circumstances, is of the view that this is an appropriate case in which to accept a binding undertaking. 3. UNDERTAKINGS 3.1. In consideration of the Commission not exercising its powers under Section 29 of the PDPA to give a direction in relation to the matters set out in the Commission’s Letter, NEC hereby undertakes as follows. 3.2. NEC undertakes to take all necessary steps to implement and give effect to the conditions set out below, within the time frame approved by the Commission under paragraph (d): (a) Engage an external consultant to review its confirmation process to prevent further recurrence of the issue. In particular, to consider automating the email sending process; (b) Enhance the PDPA training for its staff handling personal data; (c) Adequate safeguards are taken for transmission of personal data to third parties; (d) Provide to the Commission, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (c) above, for the Commission’s approval. The proposed plan of implementation shall state specific measures that NEC has taken and/or proposes to take to fulfil (a) to (c) above, as well as the time frame within which NEC expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which NEC proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would address the concerns expressed in the Commission’s Letter and achieve the objectives of (a) to (c) above. NEC shall make such amendments to the proposed plan of implementation as may be required by the Commission, in order to address any further concerns that the Commission may have. In deciding whether to approve the plan of implementation, the Commission will consider whether the specific measures would adequately address the concerns expressed in the Commission’s Letter and achieve the objectives of (a) to (c) above; and (e) Provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission under paragraph (d) confirming whether NEC has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commission of NEC’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1. NEC acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the Commission’s rights in any manner, and the Commission shall be fully entitled to exercise all its statutory powers including, but not limited to, its powers under Section 29 and Section 50 of the PDPA to carry out enforcement action against NEC in respect of its findings herein, should there be a failure by NEC to comply with any term of this Undertaking or if the Commission has reasonable grounds for suspecting that any of the information provided by NEC in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commission’s rights in any manner, nor be construed as granting any expectation that the Commission will take or not take any particular course of action in the future, should NEC be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the Commission’s acceptance of this Undertaking is on a one-off and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the representations and information provided by NEC. The Commission’s acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in the Commission’s Letter or this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) NEC Asia Pacific Pte Ltd ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Personal Data Protection Commission ) Date: _______________________________ ) ",1002 37,3600f6a5b2e34c38f355cba83507a6a66ea59703,4,NEC Asia Pacific Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-nec-asia-pacific-pte-ltd,2021-01-14,"Background  On 28 August 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from JK TruData Solutions Pte Ltd (“JK TruData”) regarding a print job request via email (the “Email”) that it had received from NEC Asia Pacific Pte Ltd (“NEC”). The Email enclosed personal data that had been received by NEC from the common end customer (“Customer”) of both NEC and JK TruData (the “Incident”). JK TruData informed the Commission that it was not the intended recipient of the Email.  The Commission’s investigations showed that NEC employed a two-step process when sending relevant data to appointed printing vendors: (a) first, NEC would send the relevant data to the printing agent via an automated email function; (b) thereafter, NEC would follow up manually with an email to confirm the receipt of the automated email; NEC’s SOP required the staff doing this to check that the recipient was correct before sending the email, and for all confidential data to be encrypted. In this Incident, a mistake was made at the second step – an NEC employee sent the follow-up email (with the same content and attachment contained in the automated email without any encryption) to JK TruData instead of the correct printing agent.  Although the Commission’s investigation findings suggested that NEC had not fully complied with its obligations under the PDPA, the Commission recognised that there was limited impact from the disclosure. The Commission found that disclosure of personal data had been limited to two authorised printing vendors of the Customer, one of which was JK TruData themselves, who were already bound in contract to the Customer to keep such information confidential. JK TruData also was already familiar with the types of personal data contained within the attachment and there was no further disclosure by NEC beyond JK TruData. The Deputy Commissioner also recognised that the incident did not arise as a result of the lack of controls but that the controls put in place by NEC were not sufficiently robust. In addition, NEC had made efforts to address the concerns raised in this case and to improve the personal data protection practice.  Undertaking  The Commission considered the circumstances of the case and accepted an undertaking from NEC to improve its compliance with the PDPA (the “Undertaking”). In particular, the Commission noted that there was limited impact from the disclosure as JK TruData was contractually obliged to keep confidential any personal data received. The Incident was also an isolated incident caused by human error and not a systemic problem. The Undertaking provided that NEC was to:  (a) engage an external consultant to review its confirmation process to prevent future recurrence of the issue. In particular, to further consider automating the email sending process;  (b) enhance the PDPA training for its staff handling personal data;  (c) implement adequate safeguards are taken for transmission of personal data to third parties;  (d) propose an implementation plan for fulfilling the above; and  (e) provide a status report to the Commission at a time requested by the Commission confirming whether NEC has fulfilled each of the specific measures set out in the implementation plan.  NEC has since provided the Commission with the implementation plan and status report referred to at para 5(d) & (e) above. The Commission has reviewed the matter and determined that NEC has complied with the terms of the Undertaking.  Please click here to view the Undertaking.    ",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---nec.pdf,"APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: NEC Asia Pacific Pte Ltd UEN: 197700754G Registered Address: 80 Bendemeer Road #05-01/02, Hyflux Innovation Centre Singapore 339949 By signing this Undertaking, NEC Asia Pacific Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commission’s Letter” means the letter dated 4 April 2018 from the Commission to NEC Asia Pacific Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (c) “Data Protection Provisions” means Parts III to VI of the PDPA. (d) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (e) “Time Frame” has the meaning given to it in paragraph 3.2. (f) “NEC” means NEC Asia Pacific Pte Ltd. 2. ACKNOWLEDGEMENTS 2.1. NEC hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of NEC, which allegedly infringe one or more provisions of the Data Protection Provisions. (b) The detailed facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to NEC. (c) NEC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) The Commission’s investigation findings suggest that NEC has not fully complied with its obligations under the PDPA. (e) As a result of the alleged non-compliance with the PDPA, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under Section 29 of the PDPA. (f) The Deputy Commissioner recognises that the disclosure of data was limited to two authorised printing vendors who were bound by contract to keep such data confidential and were already familiar with the types of personal data contained within the attachment and there was no further disclosure beyond JK TruData. The Deputy Commissioner also recognises that the incident did not arise as a result of the lack of controls but that the controls were not sufficiently robust. In addition, NEC has made efforts to address the concerns raised in this case and to improve its personal data protection practices. (g) The Commission, having carefully considered all the relevant facts and circumstances, is of the view that this is an appropriate case in which to accept a binding undertaking. 3. UNDERTAKINGS 3.1. In consideration of the Commission not exercising its powers under Section 29 of the PDPA to give a direction in relation to the matters set out in the Commission’s Letter, NEC hereby undertakes as follows. 3.2. NEC undertakes to take all necessary steps to implement and give effect to the conditions set out below, within the time frame approved by the Commission under paragraph (d): (a) Engage an external consultant to review its confirmation process to prevent further recurrence of the issue. In particular, to consider automating the email sending process; (b) Enhance the PDPA training for its staff handling personal data; (c) Adequate safeguards are taken for transmission of personal data to third parties; (d) Provide to the Commission, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (c) above, for the Commission’s approval. The proposed plan of implementation shall state specific measures that NEC has taken and/or proposes to take to fulfil (a) to (c) above, as well as the time frame within which NEC expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which NEC proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would address the concerns expressed in the Commission’s Letter and achieve the objectives of (a) to (c) above. NEC shall make such amendments to the proposed plan of implementation as may be required by the Commission, in order to address any further concerns that the Commission may have. In deciding whether to approve the plan of implementation, the Commission will consider whether the specific measures would adequately address the concerns expressed in the Commission’s Letter and achieve the objectives of (a) to (c) above; and (e) Provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission under paragraph (d) confirming whether NEC has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commission of NEC’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1. NEC acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the Commission’s rights in any manner, and the Commission shall be fully entitled to exercise all its statutory powers including, but not limited to, its powers under Section 29 and Section 50 of the PDPA to carry out enforcement action against NEC in respect of its findings herein, should there be a failure by NEC to comply with any term of this Undertaking or if the Commission has reasonable grounds for suspecting that any of the information provided by NEC in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commission’s rights in any manner, nor be construed as granting any expectation that the Commission will take or not take any particular course of action in the future, should NEC be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the Commission’s acceptance of this Undertaking is on a one-off and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the representations and information provided by NEC. The Commission’s acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in the Commission’s Letter or this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) NEC Asia Pacific Pte Ltd ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Personal Data Protection Commission ) Date: _______________________________ ) ",1007 1,216bf0da47497fa41ce7a7fa5c79070fa910939a,1,Grabcar Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Grabcar-Pte-Ltd,2020-09-10,"Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 14 June 2018 from Grabcar Pte Ltd (“Grabcar”). Grabcar had inadvertently sent an email report on 6 June 2018 (the “Report”) to 9 fleet group partners. The Report contained the name, NRIC number, telephone number, and vehicle rental details of 110,931 Grabcar drivers. Each fleet partner was supposed to receive a filtered copy of the report, containing only the information of the drivers under its fleet. However, the Report contained information of drivers that were not in the respective fleet partner’s fleet. It was established that the inadvertent disclosure occurred due to an error in the script written by a software provider engaged by Grabcar. On 4 June 2018, Grabcar had requested the software provider to replicate the schedule for sending out the email report to accommodate a new version of the report. However, the software provider made a mistake in the script, which led to the email filter being set to “all”.  Remedial Actions Each fleet partner was bound by confidentiality clauses in their partnership agreement with Grabcar, which required the fleet partner to protect personal data received from Grabcar. Upon discovering the inadvertent disclosure, Grabcar contacted the fleet partners and requested that they delete the email containing the Report. The fleet partners confirmed to Grabcar that they had done so, within 40 mins of the email being sent.  Undertaking The Commission considered the circumstances of the case and accepted an undertaking from Grabcar to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 23 March 2020 (the “Undertaking”).  The Undertaking provides that Grabcar was to: (a) review its change management process and to ensure that reasonable security checks are made before deploying such changes; (b) propose an implementation plan for fulfilling the above; (c) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (d) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and  (e) provide a status report to the Commission at a time requested by the Commission confirming whether Grabcar has fulfilled each of the specific measures set out in the implementation plan. Grabcar has since provided the Commission with the status report referred to at para 6(e) above. The Commission has reviewed the matter and determined that Grabcar has complied with the terms of the Undertaking.  Please click here to view the Undertaking.   ",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Grabcar.pdf,"LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Grabcar Pte. Ltd. UEN: 201427085E Registered Address: 6 Shenton Way, #38-01, OUE Downtown, Singapore 068809 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 21 February 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of the Organisation, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to the Organisation. (c) The Organisation agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. 1 (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. (f) Having carefully considered all the relevant facts and circumstances, the view is taken that this is an appropriate case in which a binding undertaking may be accepted. 3. UNDERTAKINGS 3.1 In consideration of the powers under section 29 of the PDPA not being exercised to give a direction in relation to the matters set out in the Commission Letter, the Organisation hereby undertakes as follows. 3.2 The Organisation undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commission under paragraph ( b ) below: (a) review its change management process when making changes to its Information Technology systems and services to ensure that reasonable security checks are made before deploying such changes; (b) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) above, for the Commissioner’s approval. The proposed plan of implementation shall state specific measures that Grabcar has taken and/or proposes to take to fulfil (a) above, as well as the time frame within which Grabcar expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which Grabcar proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objective of (a) above. Grabcar shall make such amendments to the proposed plan of implementation as may be required by the Commissioner, in order to address any further concerns that the Commissioner may have. In deciding whether to approve the plan of implementation, the Commissioner will consider whether the specific 2 measures would adequately address and achieve the objective of (a) above; and (c) comply and procure that Grabcar complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (d) appoint an individual of sufficient authority to oversee Grabcar’s compliance with the terms of the Undertaking and another individual of sufficient authority to work with the first named individual to report the status of Grabcar’s compliance to the Commissioner in accordance with paragraph (e) below, and to appoint a replacement in the event that either appointee departs from the organisation; and (e) provide a status report to the Commissioner within fourteen (14) days from the end of the Time Frame approved by the Commissioner under paragraph (d) confirming whether Grabcar has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 3.3 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the specific measures as set out in paragraph 3.2, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. To facilitate the Organisation’s ability to assist the Commission, the Commission shall provide reasonable notice (which shall not be less than 72 hours) prior to exercising the aforementioned verification activities. 4. COMMENCEMENT, TERM AND TERMINATION 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s fully executed Undertaking. 5. GOVERNING LAW 5.1 This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 3 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1 The Organisation acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2 For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the exercise of any statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA in respect of the findings herein, should there be a failure by the Organisation to comply with any term of this Undertaking or if there are reasonable grounds for suspecting that any of the information provided by the Organisation in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissions rights in any manner, nor be construed as creating any expectation that the Commission will take or not take any particular course of action in the future, should the Organisation be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3 It is further acknowledged that the acceptance of this Undertaking is on a oneoff and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by the Organisation. The acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. 7.4 For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED, for and on behalf of ) Grabcar Pte. Ltd. ) 4 By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Info-communications Media Development Authority ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) 5 ",1002 2,37bd4cdd0b27d929983b1ff4a241ffeae39691a5,2,Employment & Employability Institute Pte Ltd,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-Employability-Institute-Pte-Ltd,2020-09-10,"Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed.  It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked.  Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees.  Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”).  The Undertaking provides that e2i was to: (a) review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees;  (b) review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately;  (c) propose an implementation plan for fulfilling the above; (d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and  (f) provide a status report to the Commission at a time requested by the Commission confirming whether e2i has fulfilled each of the specific measures set out in the implementation plan. e2i has since provided the Commission with the status report referred to at para 6(f) above on 2 January 2020. The Commission has reviewed the matter and determined that e2i has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2020.pdf,"APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: Employment and Employability Institute Pte Ltd UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 By signing this Undertaking, Employment and Employability Institute Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 17 October 2019 from the Commission to Employment and Employability Institute Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “E2i” means Employment and Employability Institute Pte Ltd, a company incorporated in Singapore (UEN: 200704772C). Commissioner for Personal Data Page 1 of 5 2. ACKNOWLEDGEMENTS 2.1. E2i hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of E2i, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to E2i. (c) E2i agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that E2i has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, E2i was cooperative in the course of the investigation and was responsive to requests for information. (f) Having carefully considered all the relevant facts and circumstances, the view is taken that this is an appropriate case in which a binding undertaking may be accepted. 3. UNDERTAKINGS 3.1. In consideration of the powers under section 29 of the PDPA not being exercised to give a direction in relation to the matters set out in the Commission Letter, E2i hereby undertakes as follows. 3.2. E2i undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commission under paragraph (c): (a) review and update its procedure for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training provided for its employees involved in correspondences that may comprise or touch on the personal data of its Page 2 of 5 jobseekers, particularly in the steps necessary on how to handle and protect personal data adequately; 3.3. (c) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (b) above, for the Commission’s approval. The proposed plan of implementation shall state specific measures that E2i has taken and/or proposes to take to fulfil (a) to (b) above, as well as the time frame within which E2i expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which E2i proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objectives of (a) to (b) above. E2i shall make such amendments to the proposed plan of implementation as may be required by the Commission, in order to address any further concerns that the Commission may have. In deciding whether to approve the plan of implementation, the Commission will consider whether the specific measures would adequately address and achieve the objectives of (a) to (b) above; and (d) comply and procure that E2i complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (e) appoint an individual of sufficient authority to oversee E2i’s compliance with the terms of the Undertaking and to report to the Commission, and to appoint a replacement in the event of the appointee’s departure from the organisation; and (f) provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission under paragraph (c) confirming whether E2i has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. In addition, E2i undertakes to provide, and will ensure that its provides all necessary assistance that the Commission may require to verify the completion of the specific measures under the plan of implementation, including (without limitation) granting the Commission and its representatives physical access to E2i’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with E2i staff, contractors and/or consultants. Page 3 of 5 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commission of E2i’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1. E2i acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the exercise of any statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA in respect of the findings herein, should there be a failure by E2i to comply with any term of this Undertaking or if there are reasonable grounds for suspecting that any of the information provided by E2i in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissions rights in any manner, nor be construed as creating any expectation that the Commission will take or not take any particular course of action in the future, should E2i be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the acceptance of this Undertaking is on a oneoff and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by E2i. The acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. Page 4 of 5 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Employment and Employability Institute Pte Ltd ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Personal Data Protection Commission ) Date: _______________________________ ) Page 5 of 5 ",1002 3,4d507e6992e221664d138fc0a91101fd2035fc72,3,HSBC Bank (Singapore) Limited,https://www.pdpc.gov.sg/Undertakings/Undertaking-by-HSBC-Bank-(Singapore)-Limited,2020-09-10,"Background On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018.     As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident.   Remedial Actions HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database.  Undertaking The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”).  The Undertaking provides that HSBC was to: (a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms. (d) propose an implementation plan for fulfilling the above; (e) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (f) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (g) provide a status report to the Commission at a time requested by the Commission confirming whether HSBC has fulfilled each of the specific measures set out in the implementation plan. HSBC has since provided the Commission with the status report referred to at para 5(g) above on 3 April 2020. The Commission has reviewed the matter and determined that HSBC has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---HSBC.pdf,"APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: HSBC Bank (Singapore) Limited UEN: 201420624K Registered Address: 21 Collyer Quay #13-02 HSBC Building, Singapore 049320 By signing this Undertaking, HSBC Bank (Singapore) Limited acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “PDPC” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 12 December 2019 from the Commission to HSBC Bank (Singapore) Limited concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “HSBC” means HSBC Bank (Singapore) Limited, a company incorporated in Singapore (UEN: 201420624K). Commissioner for Personal Data Page 1 of 6 2. ACKNOWLEDGEMENTS 2.1. HSBC hereby acknowledges the following matters: (a) PDPC has carried out an investigation into certain acts and practices of HSBC involving the erroneous sending of electronic direct mails (the “Incident”). (b) The facts and circumstances relating to the Commission’s investigations are set out in the Commission’s Letter, a copy of which has been furnished to HSBC. (c) HSBC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts and allegations, and that it has done so in the form of the following documents: i. Response to “NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 20 June 2018; ii. Response to “SECOND NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 16 July 2018 (“Response to the 2nd NTP”); iii. Response to follow-up clarifications from the PDPA sent via electronic mail with the subject title “RE: 2nd Notice to Require Production of Documents and Information for HSBC Bank (Singapore) Limited [Our Ref: DP-1805-B2152]” dated 10 October 2018; and iv. Response to follow-up clarifications from the PDPA sent via electronic mail with the subject title “Clarifications following NTP Responses by HSBC Bank (Singapore) Limited [Our Ref: DP-1805-B2152]” dated 1 November 2018 (“1 November Email Clarification”). (d) HSBC also agrees that it has been given the opportunity to submit representations to the Commission in relation to the form of this binding undertaking. (e) Although the Commissioner has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA, the Commissioner recognises that HSBC has made efforts to address the concerns raised in this case and to improve its personal data Page 2 of 6 protection practices. In addition, HSBC was cooperative in the course of the investigation and was responsive to requests for information. (f) The Commissioner, having carefully considered all the relevant facts and circumstances, is of the view that this is an appropriate case in which to accept a binding undertaking. 3. UNDERTAKINGS 3.1. In consideration of the Commissioner not exercising the powers under section 29 of the PDPA to give a direction in relation to the Incident and the Commission’s investigation, HSBC hereby undertakes as follows. 3.2. HSBC undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commissioner under paragraph (d): (a) review and update its procedure for the sending of EDMs using [name of emailing platform redacted for confidentiality] or other current emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of EDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the EDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms, (d) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (c) above, for the Commissioner’s approval. The proposed plan of implementation shall state specific measures that HSBC has taken and/or proposes to take to fulfil (a) to (c) above, as well as the time frame within which HSBC expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which HSBC proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objectives of (a) to (c) above. HSBC shall make such amendments to the proposed plan of implementation as may be required by the Commissioner, in order to address any further concerns that the Commissioner may have. In deciding whether to approve the plan of implementation, the Page 3 of 6 Commissioner will consider whether the specific measures would adequately address and achieve the objectives of (a) to (c) above; (e) comply and procure that HSBC complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (f) appoint an individual of sufficient authority to oversee HSBC’s compliance with the terms of the Undertaking and to report to the Commissioner, and to appoint a replacement in the event of the appointee’s departure from the organisation; and (g) provide a status report to the Commissioner within fourteen (14) days from the end of the Time Frame approved by the Commissioner under paragraph (d) confirming whether HSBC has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 3.3. In addition, HSBC undertakes to provide, and will ensure that its provides all necessary assistance that the Commissioner may require to verify the completion of the specific measures under the plan of implementation, including (without limitation) granting the Commissioner and its representatives physical access to HSBC’s premises, providing information and documentation to the Commissioner, and arranging for meetings and/or interviews with HSBC staff, contractors and/or consultants. 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commissioner of HSBC’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commissioner. 7. OTHER MATTERS Page 4 of 6 7.1. HSBC acknowledges that the Commissioner may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commissioner may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the Commissioner’s rights in any manner, and the Commissioner shall be fully entitled to exercise all its statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA to carry out enforcement action against HSBC in respect of its findings herein, should there be a failure by HSBC to comply with any term of this Undertaking or if the Commissioner has reasonable grounds for suspecting that any of the information provided by HSBC in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissioner’s rights in any manner, nor be construed as creating any expectation that the Commissioner will take or not take any particular course of action in the future, should HSBC be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the Commissioner’s acceptance of this Undertaking is on a one-off and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by HSBC. The Commissioner’s acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commissioner in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commissioner’s rights in the foregoing respects are expressly reserved. Page 5 of 6 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) HSBC Bank (Singapore) Limited ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of the Commissioner, ) Personal Data Protection Commission ) Date: _______________________________ ) Page 6 of 6 ",1002 34,f5d04fab2c066ce257a4af89314f722cbd69592d,1,Grabcar Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-grabcar-pte-ltd,2020-09-10,"Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 14 June 2018 from Grabcar Pte Ltd (“Grabcar”). Grabcar had inadvertently sent an email report on 6 June 2018 (the “Report”) to 9 fleet group partners. The Report contained the name, NRIC number, telephone number, and vehicle rental details of 110,931 Grabcar drivers. Each fleet partner was supposed to receive a filtered copy of the report, containing only the information of the drivers under its fleet. However, the Report contained information of drivers that were not in the respective fleet partner’s fleet. It was established that the inadvertent disclosure occurred due to an error in the script written by a software provider engaged by Grabcar. On 4 June 2018, Grabcar had requested the software provider to replicate the schedule for sending out the email report to accommodate a new version of the report. However, the software provider made a mistake in the script, which led to the email filter being set to “all”.  Remedial Actions Each fleet partner was bound by confidentiality clauses in their partnership agreement with Grabcar, which required the fleet partner to protect personal data received from Grabcar. Upon discovering the inadvertent disclosure, Grabcar contacted the fleet partners and requested that they delete the email containing the Report. The fleet partners confirmed to Grabcar that they had done so, within 40 mins of the email being sent.  Undertaking The Commission considered the circumstances of the case and accepted an undertaking from Grabcar to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 23 March 2020 (the “Undertaking”).  The Undertaking provides that Grabcar was to: (a) review its change management process and to ensure that reasonable security checks are made before deploying such changes; (b) propose an implementation plan for fulfilling the above; (c) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (d) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and  (e) provide a status report to the Commission at a time requested by the Commission confirming whether Grabcar has fulfilled each of the specific measures set out in the implementation plan. Grabcar has since provided the Commission with the status report referred to at para 6(e) above. The Commission has reviewed the matter and determined that Grabcar has complied with the terms of the Undertaking.  Please click here to view the Undertaking.   ",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---grabcar.pdf,"LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Grabcar Pte. Ltd. UEN: 201427085E Registered Address: 6 Shenton Way, #38-01, OUE Downtown, Singapore 068809 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 21 February 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of the Organisation, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to the Organisation. (c) The Organisation agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. 1 (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. (f) Having carefully considered all the relevant facts and circumstances, the view is taken that this is an appropriate case in which a binding undertaking may be accepted. 3. UNDERTAKINGS 3.1 In consideration of the powers under section 29 of the PDPA not being exercised to give a direction in relation to the matters set out in the Commission Letter, the Organisation hereby undertakes as follows. 3.2 The Organisation undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commission under paragraph ( b ) below: (a) review its change management process when making changes to its Information Technology systems and services to ensure that reasonable security checks are made before deploying such changes; (b) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) above, for the Commissioner’s approval. The proposed plan of implementation shall state specific measures that Grabcar has taken and/or proposes to take to fulfil (a) above, as well as the time frame within which Grabcar expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which Grabcar proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objective of (a) above. Grabcar shall make such amendments to the proposed plan of implementation as may be required by the Commissioner, in order to address any further concerns that the Commissioner may have. In deciding whether to approve the plan of implementation, the Commissioner will consider whether the specific 2 measures would adequately address and achieve the objective of (a) above; and (c) comply and procure that Grabcar complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (d) appoint an individual of sufficient authority to oversee Grabcar’s compliance with the terms of the Undertaking and another individual of sufficient authority to work with the first named individual to report the status of Grabcar’s compliance to the Commissioner in accordance with paragraph (e) below, and to appoint a replacement in the event that either appointee departs from the organisation; and (e) provide a status report to the Commissioner within fourteen (14) days from the end of the Time Frame approved by the Commissioner under paragraph (d) confirming whether Grabcar has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 3.3 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the specific measures as set out in paragraph 3.2, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. To facilitate the Organisation’s ability to assist the Commission, the Commission shall provide reasonable notice (which shall not be less than 72 hours) prior to exercising the aforementioned verification activities. 4. COMMENCEMENT, TERM AND TERMINATION 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s fully executed Undertaking. 5. GOVERNING LAW 5.1 This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 3 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1 The Organisation acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2 For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the exercise of any statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA in respect of the findings herein, should there be a failure by the Organisation to comply with any term of this Undertaking or if there are reasonable grounds for suspecting that any of the information provided by the Organisation in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissions rights in any manner, nor be construed as creating any expectation that the Commission will take or not take any particular course of action in the future, should the Organisation be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3 It is further acknowledged that the acceptance of this Undertaking is on a oneoff and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by the Organisation. The acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. 7.4 For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED, for and on behalf of ) Grabcar Pte. Ltd. ) 4 By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Info-communications Media Development Authority ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) 5 ",1007 35,885d3b6e6ea85ed71f71fb9713c1a54cf9420fd2,2,Employment & Employability Institute Pte Ltd,https://www.pdpc.gov.sg/undertakings/undertaking-by-employment-employability-institute-pte-ltd,2020-09-10,"Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed.  It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked.  Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees. Voluntary Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”).  The Undertaking provides that e2i was to: (a)review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees;  (b)review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately;  (c)propose an implementation plan for fulfilling the above; (d)once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (e)appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and  (f)provide a status report to the Commission at a time requested by the Commission confirming whether e2i has fulfilled each of the specific measures set out in the implementation plan. e2i has since provided the Commission with the status report referred to at para 6(f) above on 2 January 2020. The Commission has reviewed the matter and determined that e2i has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---e2i-2020.pdf,"APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: Employment and Employability Institute Pte Ltd UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 By signing this Undertaking, Employment and Employability Institute Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 17 October 2019 from the Commission to Employment and Employability Institute Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “E2i” means Employment and Employability Institute Pte Ltd, a company incorporated in Singapore (UEN: 200704772C). Commissioner for Personal Data Page 1 of 5 2. ACKNOWLEDGEMENTS 2.1. E2i hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of E2i, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to E2i. (c) E2i agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that E2i has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, E2i was cooperative in the course of the investigation and was responsive to requests for information. (f) Having carefully considered all the relevant facts and circumstances, the view is taken that this is an appropriate case in which a binding undertaking may be accepted. 3. UNDERTAKINGS 3.1. In consideration of the powers under section 29 of the PDPA not being exercised to give a direction in relation to the matters set out in the Commission Letter, E2i hereby undertakes as follows. 3.2. E2i undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commission under paragraph (c): (a) review and update its procedure for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training provided for its employees involved in correspondences that may comprise or touch on the personal data of its Page 2 of 5 jobseekers, particularly in the steps necessary on how to handle and protect personal data adequately; 3.3. (c) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (b) above, for the Commission’s approval. The proposed plan of implementation shall state specific measures that E2i has taken and/or proposes to take to fulfil (a) to (b) above, as well as the time frame within which E2i expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which E2i proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objectives of (a) to (b) above. E2i shall make such amendments to the proposed plan of implementation as may be required by the Commission, in order to address any further concerns that the Commission may have. In deciding whether to approve the plan of implementation, the Commission will consider whether the specific measures would adequately address and achieve the objectives of (a) to (b) above; and (d) comply and procure that E2i complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (e) appoint an individual of sufficient authority to oversee E2i’s compliance with the terms of the Undertaking and to report to the Commission, and to appoint a replacement in the event of the appointee’s departure from the organisation; and (f) provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission under paragraph (c) confirming whether E2i has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. In addition, E2i undertakes to provide, and will ensure that its provides all necessary assistance that the Commission may require to verify the completion of the specific measures under the plan of implementation, including (without limitation) granting the Commission and its representatives physical access to E2i’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with E2i staff, contractors and/or consultants. Page 3 of 5 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commission of E2i’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1. E2i acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the exercise of any statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA in respect of the findings herein, should there be a failure by E2i to comply with any term of this Undertaking or if there are reasonable grounds for suspecting that any of the information provided by E2i in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissions rights in any manner, nor be construed as creating any expectation that the Commission will take or not take any particular course of action in the future, should E2i be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the acceptance of this Undertaking is on a oneoff and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by E2i. The acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. Page 4 of 5 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Employment and Employability Institute Pte Ltd ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Personal Data Protection Commission ) Date: _______________________________ ) Page 5 of 5 ",1012 36,8d93620fcfdc25bde4a76fc8a9bbf87e0fb80b3e,3,HSBC Bank (Singapore) Limited,https://www.pdpc.gov.sg/undertakings/undertaking-by-hsbc-bank-(singapore)-limited,2020-09-10,"Background On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018.     As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident.   Remedial Actions HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database.  Undertaking The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”).  The Undertaking provides that HSBC was to: (a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms. (d) propose an implementation plan for fulfilling the above; (e) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (f) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (g) provide a status report to the Commission at a time requested by the Commission confirming whether HSBC has fulfilled each of the specific measures set out in the implementation plan. HSBC has since provided the Commission with the status report referred to at para 5(g) above on 3 April 2020. The Commission has reviewed the matter and determined that HSBC has complied with the terms of the Undertaking. Please click here to view the Undertaking.",https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---hsbc.pdf,"APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: HSBC Bank (Singapore) Limited UEN: 201420624K Registered Address: 21 Collyer Quay #13-02 HSBC Building, Singapore 049320 By signing this Undertaking, HSBC Bank (Singapore) Limited acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “PDPC” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 12 December 2019 from the Commission to HSBC Bank (Singapore) Limited concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “HSBC” means HSBC Bank (Singapore) Limited, a company incorporated in Singapore (UEN: 201420624K). Commissioner for Personal Data Page 1 of 6 2. ACKNOWLEDGEMENTS 2.1. HSBC hereby acknowledges the following matters: (a) PDPC has carried out an investigation into certain acts and practices of HSBC involving the erroneous sending of electronic direct mails (the “Incident”). (b) The facts and circumstances relating to the Commission’s investigations are set out in the Commission’s Letter, a copy of which has been furnished to HSBC. (c) HSBC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts and allegations, and that it has done so in the form of the following documents: i. Response to “NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 20 June 2018; ii. Response to “SECOND NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 16 July 2018 (“Response to the 2nd NTP”); iii. Response to follow-up clarifications from the PDPA sent via electronic mail with the subject title “RE: 2nd Notice to Require Production of Documents and Information for HSBC Bank (Singapore) Limited [Our Ref: DP-1805-B2152]” dated 10 October 2018; and iv. Response to follow-up clarifications from the PDPA sent via electronic mail with the subject title “Clarifications following NTP Responses by HSBC Bank (Singapore) Limited [Our Ref: DP-1805-B2152]” dated 1 November 2018 (“1 November Email Clarification”). (d) HSBC also agrees that it has been given the opportunity to submit representations to the Commission in relation to the form of this binding undertaking. (e) Although the Commissioner has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA, the Commissioner recognises that HSBC has made efforts to address the concerns raised in this case and to improve its personal data Page 2 of 6 protection practices. In addition, HSBC was cooperative in the course of the investigation and was responsive to requests for information. (f) The Commissioner, having carefully considered all the relevant facts and circumstances, is of the view that this is an appropriate case in which to accept a binding undertaking. 3. UNDERTAKINGS 3.1. In consideration of the Commissioner not exercising the powers under section 29 of the PDPA to give a direction in relation to the Incident and the Commission’s investigation, HSBC hereby undertakes as follows. 3.2. HSBC undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commissioner under paragraph (d): (a) review and update its procedure for the sending of EDMs using [name of emailing platform redacted for confidentiality] or other current emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of EDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the EDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms, (d) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (c) above, for the Commissioner’s approval. The proposed plan of implementation shall state specific measures that HSBC has taken and/or proposes to take to fulfil (a) to (c) above, as well as the time frame within which HSBC expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which HSBC proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objectives of (a) to (c) above. HSBC shall make such amendments to the proposed plan of implementation as may be required by the Commissioner, in order to address any further concerns that the Commissioner may have. In deciding whether to approve the plan of implementation, the Page 3 of 6 Commissioner will consider whether the specific measures would adequately address and achieve the objectives of (a) to (c) above; (e) comply and procure that HSBC complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (f) appoint an individual of sufficient authority to oversee HSBC’s compliance with the terms of the Undertaking and to report to the Commissioner, and to appoint a replacement in the event of the appointee’s departure from the organisation; and (g) provide a status report to the Commissioner within fourteen (14) days from the end of the Time Frame approved by the Commissioner under paragraph (d) confirming whether HSBC has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 3.3. In addition, HSBC undertakes to provide, and will ensure that its provides all necessary assistance that the Commissioner may require to verify the completion of the specific measures under the plan of implementation, including (without limitation) granting the Commissioner and its representatives physical access to HSBC’s premises, providing information and documentation to the Commissioner, and arranging for meetings and/or interviews with HSBC staff, contractors and/or consultants. 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commissioner of HSBC’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commissioner. 7. OTHER MATTERS Page 4 of 6 7.1. HSBC acknowledges that the Commissioner may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commissioner may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the Commissioner’s rights in any manner, and the Commissioner shall be fully entitled to exercise all its statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA to carry out enforcement action against HSBC in respect of its findings herein, should there be a failure by HSBC to comply with any term of this Undertaking or if the Commissioner has reasonable grounds for suspecting that any of the information provided by HSBC in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissioner’s rights in any manner, nor be construed as creating any expectation that the Commissioner will take or not take any particular course of action in the future, should HSBC be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the Commissioner’s acceptance of this Undertaking is on a one-off and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by HSBC. The Commissioner’s acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commissioner in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commissioner’s rights in the foregoing respects are expressly reserved. Page 5 of 6 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) HSBC Bank (Singapore) Limited ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of the Commissioner, ) Personal Data Protection Commission ) Date: _______________________________ ) Page 6 of 6 ",1007