pdpc_undertakings: 63
Data source: pdpc.gov.sg/Undertakings
This data as json
_id | _item_id | id | organisation | url | timestamp | description | pdf-url | pdf-content | _commit |
---|---|---|---|---|---|---|---|---|---|
63 | 4c7de9884b1a1e986b6b36f7874233ad637c866b | 38 | Success Human Resource Centre Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-success-human-resource-centre-pte-ltd | 2024-04-22 | Background The Personal Data Protection Commission (the “Commission”) received a complaint about a personal data breach involving Success Human Resource Centre Pte Ltd (the “Organisation”) on 30 May 2023. The complainant informed the Commission that he was able to access the Organisation’s attendance tracking system, which disclosed the names and mobile numbers of other individuals, by manipulating the numerical suffix of the Organisation’s webpage URL (the “Incident”). About 30,000 individuals were potentially affected. Investigations revealed that the cause of the breach was due to inadequate web disk space on the webhost and unaddressed errors in the coding script. Upon being alerted, the Organisation immediately took down the URL. Undertaking Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 11 September 2023. As part of the Undertaking, the Organisation put in place the following measures: (a) Fixed all coding flaws and structural issues on the system. (b) Upgraded the web disk space and implemented 2FA. (c) Implemented best practices for secure Identity Access Management (IAM). (d) Implemented clear vendor management and account responsibilities processes. (e) Developed a vulnerability disclosure policy and established a clear process for incident management The Commission was satisfied with and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation. The Organisation has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---success-human-resource-centre-pte-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2305-C1080 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Success Human Resource Centre Pte Ltd (UEN No. 200516727R) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 12 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Success Human Resource Centre Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 12 SCHEDULE A Page 3 of 12 SUMMARY OF FACTS 1. On 30 May 2023, PDPC was notified by a complainant stated that the Organisation’s URL on the Attendance Tracking System can be manipulated to gain access to the PDF documents containing personal data of other individuals. 2. As a result, the personal data of approximately 30,000 individuals including their names and phone numbers was exposed. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 12 SCHEDULE B Page 5 of 12 S/N LIKELY CAUSES OF INCIDENT PROPOSED STEPS TO ADDRESS THE CAUSE a. Identify the specific defects in the code causing the issue. TARGETED COMPLETION DATE b. Conduct a thorough code review and debugging process to fix the defects. c. Test updated code extensively to ensure the "Print_attendance" function works as intended. 1. Defective code for “Print_attendance” function on ATS d. Implement a Portal and comprehensive upgrade Web quality assurance Disk/Backup process for future Options code changes to prevent similar defects. 30th September 2023 e. Conduct a greybox penetration test by Net Assist Sdn Bhd Singapore licensed Penetration testing service provider. a. Assess the existing code and architecture for the IAM features. Page 6 of 12 b. Identify and fix any coding flaws and structural issues affecting the IAM functionality. 2. Defective code and structure for Identity Access Management (IAM) features on ATS Portal and c. Implement best practices for secure IAM implementation, such as proper authentication, authorization, and access control mechanisms. 30th September 2023 d. Regularly review and update the IAM code and structure to address any emerging vulnerabilities. 3. Not disabling specific accounts for interns/full-time job hires (For the purpose of clocking timesheets) e. Introduce and integrate multifactor authentication into IAM Modules. a. Develop a standardized process for enabling and disabling accounts based on employment status. b. Implement an automated system that disables accounts for interns or full-time job hires upon 31st October 2023 Page 7 of 12 completion of their contracts or termination of employment. c. Conduct periodic audits to ensure that accounts are promptly disabled as required. a. Review current vendor suitability and ability to continue with the ATS system maintenance and if not, to onboard new vendor Digipixel Pte. Ltd. b. Enhance the documentation and communication of Access Control Management processes, including user access levels and permissions. 4. Insufficient visibility of ATS Portal Access Control Management, Vendor SLA and continued maintenance. c. Establish a clear and well-defined Vendor Service Level Agreement (SLA) outlining expectations, responsibilities, and response times with Digipixel Pte. Ltd. And FirstComm Solutions for web development and hosting 30th September 2023 Page 8 of 12 respectively to also cover responsibilities with regards to areas of responsibilities in protection of personal data. d. Regularly review and update the Access Control Management system to meet evolving security requirements. e. Conduct periodic checks to verify compliance with the SLA and overall system maintenance. a. Develop a vulnerability disclosure policy that encourages responsible reporting of potential security vulnerabilities. 5. No vulnerability disclosure policy and process chart for specific incident management. b. Establish a clear process for incident management, including the identification, assessment, and mitigation of vulnerabilities. 31st October 2023 c. Create a dedicated team responsible for Page 9 of 12 handling vulnerability disclosures and coordinating appropriate remediation actions. d. Communicate the vulnerability disclosure policy and process to stakeholders, including employees, vendors, and users. Page 10 of 12 SCHEDULE C Page 11 of 12 Case number: DP-2305-C1080 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Success Human Resource Centre Pte Ltd (UEN No. 200516727R) … Organisation DECLARATION I refer to the voluntary undertaking dated ________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 12 of 12 | 1013 |
Links from other tables
- 1 row from _item in pdpc_undertakings_version