pdpc_undertakings: 21
Data source: pdpc.gov.sg/Undertakings
This data as json
| _id | _item_id | id | organisation | url | timestamp | description | pdf-url | pdf-content | _commit |
|---|---|---|---|---|---|---|---|---|---|
| 21 | 3b6031c255fe17dc08c3d6aa9abe1619103bed59 | 21 | Inmagine Lab Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Inmagine%20Lab%20Pte%20Ltd | 2022-08-11 | Background The Personal Data Protection Commission (the “Commission”) received two data breach notifications on 13 November 2020 and 26 January 2021 from Inmagine Lab Pte Ltd (“Organisation”) regarding unauthorised access to two of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated. The datasets affected included the names, addresses, email addresses and phone numbers. It was established that the Organisation (a) lacked sufficiently robust security assessment policy, log retention policy and asset management processes, (b) had no intrusion detection or prevention systems in place and (c) operated on an outdated operating system. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Developed a vulnerability assessment policy; (b) Developed an incident response plan; (c) Reviewed its log retention policy; (d) Created an asset list for the tracking of an inventory of its systems; (e) Implemented intrusion, detection and prevention systems; (f) Reviewed, compiled and updated all its systems to the latest operating system; and (g) Adopted additional security such as two-factor authentication (“2FA”). Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking on 23 March 2022 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking provided that the Organisation was to complete the implementation of its remediation plan. This included the development of various policies and implementation of the intrusion, detection and prevention systems. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---inmagine-lab-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Inmagine Lab Pte Ltd. UEN: 201532639M Registered Address: 11 Collyer Quay #17-00, The Arcade, Singapore 049317 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the (c) 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the 2 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. 3 SIGNED, for and on behalf of ) Inmagine Lab Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner Personal Data Protection ) Date: _______________________________________ ) 4 SCHEDULE A SUMMARY OF FACTS 1. On 13 November 2020 and 26 January 2021, PDPC received 2 data breach notifications from the Organisation regarding unauthorised access to 2 of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated and was offered for sale on Raidforums (the “Incident”). 2. The name, address, email address, phone number, user ID and hash of password, IP address of first and last login, GeoIP state and country of approximately 6,769,184 individuals was affected as a result of the Incident. 5 SCHEDULE B REMEDIATION PLAN No. Gaps Identified Remediation Plan Target Completion (Date) 1. Inmagine Lab Pte. Ltd. (“ILPL”) did not conduct any security review or audit of the said websites prior to the acquisition. Although the same security and developer teams remained responsible for the websites before and after the acquisition, ILPL failed to ascertain the websites’ security prior to the acquisition. ILPL will draft a Vulnerability Assessment Policy and will abide by it. 5th January 2022 (Completed) ILPL did not have any intrusion detection or prevention detection systems (“IDS/IPS”) in place. ILPL will require log planning to implement any IDS system. 2. The Vulnerability Assessment Policy will outline when and how ILPL’s employees may conduct certain types of security testing, including but not limited to vulnerability, penetration test, tests involving data scraping tools as well as audit prior to the acquisition/transfer of websites. June 2022 (On-going) ILPL will look into its current assets/system and identify locations to implement. Also, ILPL will research on available IDS/IPS in order to implement and integrate IDS/IPS into the system through 4 stages: I. Planning; II. Research; III. Implementation; and IV. Testing and monitoring. 3. The log retention policy of the previous owner of the websites, 123RF Limited, was that it only retained logs for a month or less. This was not advisable as these logs could have provided valuable leads in any data breach ILPL will review its current logging locations and strategies as well as look into available logs. ILPL will try out logging solutions in order to pick the best fit that would fit the organization. 6 June 2022 (On-going) investigation. However, ILPL did not review the log retention policy of 123RF Limited. Upon research, ILPL will implement the selected logging solution and revise its log retention policy. Even though some of the system OS had reached their end-of-life, ILPL had failed to update the system OS to the latest versions available. ILPL will review and compile all current assets with outdated or end-of-life OS versions. ILPL did not have a security assessment policy in place to define the frequency and type of testing or scanning of the websites for vulnerabilities, threats or breaches. A thoughtful review of the threat environment, current and future risks, and the value of the targeted environment, would greatly reduce the risks of security breaches. ILPL will draft a Vulnerability Assessment Policy and Incident Response Plan. 6. ILPL did not have in place a systematic asset management process where it maintains an inventory of its assets. ILPL will create an asset list that is confidential in nature to keep track of the inventory of its systems, and the asset list will be updated on a regular basis when there are new updates, as well as implementing a periodic review once every quarter to make sure that the asset list is always accurate and up to date. 31st January 2022 (Completed) 7. ILPL should have adopted additional security measures, encrypting the database backup files, or whitelisting the IP addresses that have access to the database. ILPL will adopt additional security measures such as 2FA [redacted for confidentiality]. For its database, access is always restricted, and only certain IP addresses are granted access to the database. [redacted for confidentiality]. 31st January 2022 (Completed) 4. 5. June 2022 (On-going) Once all current assets with outdated or end-of-life OS versions are found, ILPL will identify the latest supported OS versions/software versions that should be updated to through 3 stages: I. Planning; II. Research; and III. Implementation and Testing. 5th January 2022 (Completed) The Incident Response Plan will outline the plan for responding to information security incidents containing the following information: I. Scope; II. Incident Response Methodology; III. Incident Response Phases; IV. Guidelines for the Incident Response Process; and V. Documentation, Tracking and Reporting. 7 8 | 1007 |
Links from other tables
- 2 rows from _item in pdpc_undertakings_version