pdpc_undertakings_version
74 rows
This data as json, CSV (advanced)
Suggested facets: _version, _commit, timestamp, timestamp (date)
| _id ▼ | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 1 | 1 | 1002 1002 | 1 | Grabcar Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Grabcar-Pte-Ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 14 June 2018 from Grabcar Pte Ltd (“Grabcar”). Grabcar had inadvertently sent an email report on 6 June 2018 (the “Report”) to 9 fleet group partners. The Report contained the name, NRIC number, telephone number, and vehicle rental details of 110,931 Grabcar drivers. Each fleet partner was supposed to receive a filtered copy of the report, containing only the information of the drivers under its fleet. However, the Report contained information of drivers that were not in the respective fleet partner’s fleet. It was established that the inadvertent disclosure occurred due to an error in the script written by a software provider engaged by Grabcar. On 4 June 2018, Grabcar had requested the software provider to replicate the schedule for sending out the email report to accommodate a new version of the report. However, the software provider made a mistake in the script, which led to the email filter being set to “all”. Remedial Actions Each fleet partner was bound by confidentiality clauses in their partnership agreement with Grabcar, which required the fleet partner to protect personal data received from Grabcar. Upon discovering the inadvertent disclosure, Grabcar contacted the fleet partners and requested that they delete the email containing the Report. The fleet partners confirmed to Grabcar that they had done so, within 40 mins of the email being sent. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from Grabcar to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 23 March 2020 (the “Undertaking”). The Undertaking provides that Grabcar was to: (a) review its change management process and to ensure that reasonable security checks are made before deploying such changes; (b) propose an implementation plan for fulfilling the above; (c) once the Commission approves the proposed implementation plan, comply w… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Grabcar.pdf | LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Grabcar Pte. Ltd. UEN: 201427085E Registered Address: 6 Shenton Way, #38-01, OUE Downtown, Singapore 068809 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 21 February 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of the Organisation, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to the Organisation. (c) The Organisation agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. 1 (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that the Organisation has ma… | 6e3b059d8eb5a49c607c9a11388dc0da4a6fa6e9 |
| 2 | 2 2 | 1 | 1002 1002 | 2 | Employment & Employability Institute Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-Employability-Institute-Pte-Ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed. It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked. Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”). The Undertaking provides that e2i was to: (a) review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately; (c) propose an implementation plan for fulfilling the above; (d) once the Comm… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2020.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: Employment and Employability Institute Pte Ltd UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 By signing this Undertaking, Employment and Employability Institute Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 17 October 2019 from the Commission to Employment and Employability Institute Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “E2i” means Employment and Employability Institute Pte Ltd, a company incorporated in Singapore (UEN: 200704772C). Commissioner for Personal Data Page 1 of 5 2. ACKNOWLEDGEMENTS 2.1. E2i hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of E2i, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to E2i. (c) E2i agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) As a result of any non-compliance with the PDPA by an organisation, there… | 90a6facdd45ab35f77a4c83a15b89e62c52c758e |
| 3 | 3 3 | 1 | 1002 1002 | 3 | HSBC Bank (Singapore) Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-HSBC-Bank-(Singapore)-Limited | 2020-09-10 | Background On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018. As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident. Remedial Actions HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”). The Undertaking provides that HSBC was to: (a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customer… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---HSBC.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: HSBC Bank (Singapore) Limited UEN: 201420624K Registered Address: 21 Collyer Quay #13-02 HSBC Building, Singapore 049320 By signing this Undertaking, HSBC Bank (Singapore) Limited acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “PDPC” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 12 December 2019 from the Commission to HSBC Bank (Singapore) Limited concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “HSBC” means HSBC Bank (Singapore) Limited, a company incorporated in Singapore (UEN: 201420624K). Commissioner for Personal Data Page 1 of 6 2. ACKNOWLEDGEMENTS 2.1. HSBC hereby acknowledges the following matters: (a) PDPC has carried out an investigation into certain acts and practices of HSBC involving the erroneous sending of electronic direct mails (the “Incident”). (b) The facts and circumstances relating to the Commission’s investigations are set out in the Commission’s Letter, a copy of which has been furnished to HSBC. (c) HSBC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts and allegations, and that it has done so in the form of the following documents: i. Response to “NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 20 June 2018; ii. Response to “SECOND NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION… | 2d57f15bd27cdf189d7cb4087c63eaf14f1313fa |
| 4 | 4 4 | 1 | 1002 1002 | 4 | NEC Asia Pacific Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-NEC-Asia-Pacific-Pte-Ltd | 2021-01-14 | Background On 28 August 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from JK TruData Solutions Pte Ltd (“JK TruData”) regarding a print job request via email (the “Email”) that it had received from NEC Asia Pacific Pte Ltd (“NEC”). The Email enclosed personal data that had been received by NEC from the common end customer (“Customer”) of both NEC and JK TruData (the “Incident”). JK TruData informed the Commission that it was not the intended recipient of the Email. The Commission’s investigations showed that NEC employed a two-step process when sending relevant data to appointed printing vendors: (a) first, NEC would send the relevant data to the printing agent via an automated email function; (b) thereafter, NEC would follow up manually with an email to confirm the receipt of the automated email; NEC’s SOP required the staff doing this to check that the recipient was correct before sending the email, and for all confidential data to be encrypted. In this Incident, a mistake was made at the second step – an NEC employee sent the follow-up email (with the same content and attachment contained in the automated email without any encryption) to JK TruData instead of the correct printing agent. Although the Commission’s investigation findings suggested that NEC had not fully complied with its obligations under the PDPA, the Commission recognised that there was limited impact from the disclosure. The Commission found that disclosure of personal data had been limited to two authorised printing vendors of the Customer, one of which was JK TruData themselves, who were already bound in contract to the Customer to keep such information confidential. JK TruData also was already familiar with the types of personal data contained within the attachment and there was no further disclosure by NEC beyond JK TruData. The Deputy Commissioner also recognised that the incident did not arise as a result of the lack of controls but that the controls put in place by NEC were no… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---NEC.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: NEC Asia Pacific Pte Ltd UEN: 197700754G Registered Address: 80 Bendemeer Road #05-01/02, Hyflux Innovation Centre Singapore 339949 By signing this Undertaking, NEC Asia Pacific Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commission’s Letter” means the letter dated 4 April 2018 from the Commission to NEC Asia Pacific Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (c) “Data Protection Provisions” means Parts III to VI of the PDPA. (d) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (e) “Time Frame” has the meaning given to it in paragraph 3.2. (f) “NEC” means NEC Asia Pacific Pte Ltd. 2. ACKNOWLEDGEMENTS 2.1. NEC hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of NEC, which allegedly infringe one or more provisions of the Data Protection Provisions. (b) The detailed facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to NEC. (c) NEC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) The Commission’s investigation findings suggest that NEC has not fully complied with its obligations under the PDPA. (e) As a result of the alleged non-compliance with the PDPA, the Commission has a number of enforcement options under the PDPA, including the option to give a … | d7e0a7f4a3d2a68a58d83031a2779d09be9f1bee |
| 5 | 5 5 | 1 | 1002 1002 | 5 | StarMed Specialist Centre Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-StarMed-Specialist-Centre-Pte-Ltd | 2021-02-18 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data. It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords. Remedial Actions After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”). The Undertaking provides that StarMed was to: (a) review password policies relating to StarMed’s servers and IT equipment storing personal data; (b) review process of login authentication on StarMed’s servers and IT equipment storing personal data; (c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts; (d) once the Commission approves… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---StarMed.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: StarMed Specialist Centre Pte Ltd UEN: 201629251M Registered Address: 7 Temasek Boulevard #12-10 Suntec Tower One Singapore 038987 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated [Date] from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and … | 6d303fd9311a3b19dfeba1f3e2f3dec75ac65318 |
| 6 | 6 6 | 1 | 1002 1002 | 6 | Manulife (Singapore) Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Manulife-Singapore-Pte-Ltd | 2021-04-15 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 March 2020 from Manulife (Singapore) Pte Ltd (“MLS”), informing that a representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020. The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios. It was found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars and quarterly bulletins. Remedial Actions After the incident, MLS notified all affected individuals of the incident and monitored their insurance policies for unusual requests and/or transactions for a period of six months. A refresher training on privacy and data security was also conducted for MLS representatives. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from MLS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 January 2021 (the “Undertaking”). The Undertaking provides that MLS was to: (a) take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A of the Undertaking; and (b) provide a status report to the Commission at a time requested by the Commission confirming whether MLS has fulfilled each of the specific measures set out in the implementation plan. MLS has since provided the Commission with the status report referred to at paragraph 5(b) above. The Commission has reviewed the matter and determined that MLS h… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Manulife-Singapore.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Manulife (Singapore) Pte Ltd UEN: 198002116D Registered Address: 8 Cross Street, #15-01, Manulife Tower, Singapore 048424 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 4 January 2021 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has several enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 6 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circums… | 771351fcb77b92a21376df7d2412a750996c9101 |
| 7 | 7 7 | 1 | 1002 1002 | 7 | DLI Asia Pacific Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-DLI-Asia-Pacific-Pte-Ltd | 2021-05-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 18 June 2020 from DLI Asia Pacific Pte Ltd (“DLIAP”), informing that a ransomware attack had infected one of its file servers (“the File Server”), affecting the personal data of approximately 848 individuals. The affected datasets comprised the affected individuals’ names, addresses, contact numbers, dates of birth, marital status, insurance policy details, insurance premiums, passport copies, education background, employment details and/or salary information. It was established that DLIAP had not implemented adequate security measures to protect the personal data in the File Server at the time of the incident. In particular, there were insufficient controls to regulate access to the File Server via a virtual private network (“VPN”). The server hosting the VPN had not been patched, and the same credentials were used to access both the File Server and the VPN . Remedial Actions After the incident, as part of a remediation plan, DLIAP : (a) Implemented multi-factor authentication to strengthen VPN login; (b) Implemented different user accounts for VPN and File Server access; (c) Implemented a virtual desktop for its IT vendor with activity monitoring; (d) Engaged a security consultant to review its current IT infrastructure and propose enhancements; (e) Implemented additional security monitoring by a different IT vendor; (f) Improved patch update & management processes; (g) Established thorough file management rules for cloud storage of data; (h) Implemented email rules including password rules for attachments; and (i) Implemented compliance training for DLIAP’s employees; Undertaking The Commission recognises that DLIAP has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from DLIAP to improve its compliance with the Personal Data Protection Act 2012. The… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---DLI-Asia-Pacific-Pte-Ltd.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: DLI Asia Pacific Pte Ltd UEN: 201431235K Registered Address: 12 Marina view #24-03/04 Asia Square Tower 2 S(018961) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 1 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circum… | 260eeeca5f79a20ab6ad76a7fb4c445e01559703 |
| 8 | 8 8 | 1 | 1002 1002 | 8 | Seafront Support Company Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Seafront-Support-Company-Pte-Ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details. It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices. Remedial Actions After the incident, as part of a remediation plan, Seafront Support: (a) engaged an external IT consultant to manage its IT system; (b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system; (c) developed and implemented an IT security policy; (d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and (e) instructed staff to back-up their files daily on separate cloud-based storage. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”). The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading it… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Seafront.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Seafront Support Company Pte. Ltd. UEN: 201106511C Registered Address: 102E, Pasir Panjang Road, #02-08, Citilink Warehouse Complex, Singapore 118529 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 25 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered … | 1dc240b00d7495692705e5eca54021fd2ccba1c2 |
| 9 | 9 9 | 1 | 1002 1002 | 9 | Platinum Yoga Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Platinum-Yoga-Pte-Ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 29 October 2020 from Platinum Yoga Pte. Ltd. (“Platinum Yoga”), informing of a suspected alleged act of mischief by a terminated employee of Platinum Yoga, who gained unauthorised access to its Customer Relationship Management (“CRM”) system and Facebook account. The CRM system held the email addresses and photographs of Platinum Yoga’s members. Consequently, photographs of 25 individuals were disclosed in an unauthorised Facebook post, and the email addresses of 58 individuals were disclosed in an email impersonating Platinum Yoga. It was established that Platinum Yoga had 1) lacked access restriction to the accounts it had which included the CRM system and its Facebook account; 2) lacked dedicated personnel to ensure and enforce password changes to the CRM system and Facebook account periodically or whenever necessary, among its employees; and 3) not developed a data protection policy internally. Remedial Actions After the incident, as part of a remediation plan, Platinum Yoga: (a) Implemented access restrictions to the CRM system and other accounts, including access to the CRM system on a need-to-know basis, and 2 Factor Authentication to accounts possible; (b) Ensured that personal data can only be viewed or accessed from its property only; (c) Appointed dedicated team to monitor and ensure password change to the CRM system and other accounts periodically, and whenever necessary, among its employees; (d) Implemented periodic reminders to members on changing of passwords; (e) Implemented quarterly review of its internal data protection policy. Undertaking Having considered the circumstances of the case, including the remediation actions taken by Platinum Yoga to improve its personal data protection practices, the Commission accepted an undertaking from Platinum Yoga to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2021 (the “Undertaking… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Platinum-Yoga-Pte-Ltd.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Platinum Yoga Pte. Ltd. UEN: 201109593N Registered Address: 1 Marine Parade Central, #13-09 Parkway Centre, Singapore 449408 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated <14 January 2021> from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 5 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts an… | f621902bbbc4d00ed896b448aa3a44e830575f21 |
| 10 | 10 10 | 1 | 1002 1002 | 10 | Assisi Hospice | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Assisi-Hospice | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance. The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases. It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List. Remedial Actions After the incident, as part of the remediation plan, Assisi: (a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead; (b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself; (c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email co… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Assisi-Hospice.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Assisi Hospice UEN: 201208993Z Registered Address: 80 Raffles Place, #32-01, UOB Plaza, Singapore 048624 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 15 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission t… | 6da64627482a4a49959e7ea17fd01c5d589ee8af |
| 11 | 11 11 | 1 | 1002 1002 | 11 | Thye Hua Kwan Moral Charities Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Thye-Hua-Kwan-Moral-Charities-Limited | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 April 2020 from Thye Hua Kwan Moral Charities Limited (“THKMC”), after THKMC discovered that its website was hacked. Investigations revealed that malicious actors had gained access to the web content management system, by altering a web configuration file which had been left in a public directory without protection for the usage of the file. The employee tasked with the administration of the website lacked the requisite technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of 550 volunteers was at risk of unauthorised access. However, investigation by THKMC found no evidence of data loss or access by third party visitors. The types of personal data which were at risk included the volunteers’ names, residential telephone numbers, mobile numbers, email addresses, residential addresses, dates of birth, volunteering experiences, and interests. Remedial Actions After the incident, as part of the remediation plan, THKMC: (a) engaged a professional web development vendor to re-build its website to conform with established web security standards and the Open Web Application Security Project (OWASP) guidelines; (b) took preventive measures to harden the website by subscribing to cyber security threat monitoring software and updating the Firewall IP tables with the blacklisted IPs of past attackers; (c) discontinued the storage of personal data on its new website. The volunteer sign-up page and database were outsourced to a third -party cloud-based volunteer management portal which has a set of security controls to protect the personal data that it collects; (d) migrated internal report submission services from the THKMC internet website to THKMC intranet staff portal, which is a more secured environment; (e) assigned control of website administration (previously administered by its Corporate Communications Department) and operations hos… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Thye-Hua-Kwan-Moral-Charities-5-April-2022.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Thye Hua Kwan Moral Charities Limited UEN: 201130733N Registered Address: 1 North Bridge Road, #03-33, High Street Centre, Singapore 179094 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 27 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 6 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the rel… | 850be136c1f1efb63f1d26ae8da52a99aabc0499 |
| 12 | 12 12 | 1 | 1002 1002 | 12 | Equity Solution Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Equity-Solution-Pte-Ltd | 2021-08-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 February 2021 from Equity Solution Pte Ltd (“ESPL”), informing that ESPL had been subject to a phishing attack after a staff member opened an email containing an excel file with a macro-enabled malware. The personal data of approximately 1,359 individuals was affected. The affected datasets comprised the affected individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information. It was established that (a) ESPL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. Remedial Actions After the incident, as part of a remediation plan, ESPL promptly implemented the following measures: (a) Secured files and documents using password protection; (b) Hardened its operating system; (c) Implemented a strong password protection policy; (d) Reviewed and updated its email usage policy; (e) Implemented training and awareness programmes for its employees; and (f) Reviewed and updated its personal data protection policy.Undertaking Undertaking The Commission recognises that ESPL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from ESPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 8 June 2021 (the “Undertaking”). The Undertaking provided that ESPL was to complete implementation of its remediation plan by subscribing to an email service provider with greater privacy and security features, and enhancing its data security processes. ESPL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined … | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Equity-Solution-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Equity Solution Pte Ltd UEN: 201601961Z Registered Address: 16 Kallang Pl #07-03 Singapore (339156) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organis… | ecf4078a48c0570dee92963bf197d86e63581724 |
| 13 | 13 13 | 1 | 1002 1002 | 13 | MindChamps Preschool Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-MindChamps-Preschool-Limited | 2021-09-21 | Background The Personal Data Protection Commission (the “Commission”) received information on 27 February 2020, informing that a dataset containing the personal data of the users of MindChamps Preschool Limited’s (“MindChamps”) mobile application was publicly accessible via an internet link. Personal data of approximately 6,521 individuals were affected, namely, email addresses, login passwords and mobile numbers. In addition, the birth certificate numbers of 607 minors were also at risk of unauthorised disclosure. Remedial Actions After the incident, as part of a remediation plan, MindChamps: (a) engaged an external IT consultant to determine the cause of the incident; (b) performed a password reset for all the user accounts of its mobile application; and (c) migrated all users to a newly designed mobile application. Undertaking Having considered the circumstances of the case, including the remedial steps taken by MindChamps to improve its data protection practices, the Commission accepted an undertaking from MindChamps to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 7 January 2021 (the “Undertaking”). The Undertaking provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. In addition, MindChamps would also conduct training for its employees and ensure their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects. MindChamps has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that MindChamps has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---MindChamps.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: MindChamps PreSchool Limited UEN: 200814577H Registered Address: 6 Raffles Boulevard, #04-100 Marina Square, Singapore 039594 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 23 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts a… | 9cc1a5499fafd4a99dd033f92d1e90f42c312254 |
| 14 | 14 14 | 1 | 1002 1002 | 14 | Fujioh International Trading Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Fujioh-International-Trading-Pte-Ltd | 2021-11-11 | Background The Personal Data Protection Commission (the “Commission”) received information on 24 August 2020 that Fujioh International Trading Pte Ltd’s (“Fujioh”) website had been affected by URL manipulation, resulting in its customers’ personal data being exposed on Fujioh’s online warranty system on its website. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. The personal data of 2,771 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email and telephone number. It was established that Fujioh (a) had application weakness in the receipt submission process of their online warranty system, (b) did not have proper data protection clauses in its contract with its vendor, and (c) had insufficient data protection management. Remedial Actions After the incident, as part of a remediation plan, Fujioh had: (a) introduced session tokens in the online warranty system that expires at the end of each receipt; (b) replaced its online warranty system to fix undetected vulnerabilities; (c) established a Data Protection Management Programme that consisted of drafting of polices and notices, establishment of procedures, templates, data inventory map, training data protection curriculum for employees; and (d) established checklists, procedures and templates for 3rd party vendors. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Fujioh to improve its personal data protection practices, the Commission accepted an undertaking from Fujioh to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2021 (the “Undertaking”). The Undertaking provided that Fujioh was to complete implementation of its remediation plan by replacing its online warranty system to fix undetected vulnerabilities. Fujioh has since updated the Commission th… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Fujioh-International-Trading-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Fujioh International Trading Pte Ltd UEN: 199305801D Registered Address: 130 Joo Seng Road, #05-05, Singapore 368357 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted.… | c1cb2f1465f0e875dd77bc4c62c9c1491364aa38 |
| 15 | 15 15 | 1 | 1002 1002 | 15 | JT Legal LLC | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-JT-Legal-LLC | 2022-01-14 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 16 June 2021 from JT Legal LLC (“JTL”). JTL stated that it had been subjected to an email phishing attack which allowed the threat actor to access and view files on JTL’s SharePoint. The personal data of approximately 1,006 individuals were at risk. The datasets affected comprised the names, addresses, email addresses, NRIC numbers and passport numbers. It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, (c) a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. Remedial Actions After the incident, as part of a remediation plan, JTL promptly implemented the following measures: (a) Implemented Multi-Factor Authentication for all user accounts; (b) Secured files and documents using password protection; (c) Implemented dedicated anti-virus on all computers; (d) Conducted a review of IT infrastructure; (e) Implemented further security measures; (f) Developed an internal reporting system; (g) Implemented training and awareness programmes for its employees; and (h) Reviewed and updated its personal data protection policy. Undertaking The Commission recognises that JTL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from JTL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 27 August 2021 (the “Undertaking”). The Undertaking provided that JTL has to complete its implementation of the remediation plan. This includes a professional review of its IT infrastructure and other measures outlined within the remediation plan. JTL has since updated the Commission that implementation of its r… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-JT-Legal-LLC-5-April-2022.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: JT Legal LLC UEN: 201706016E Registered Address: 12 Marina Boulevard #17-01 Marina Bay Financial Centre, Tower 3, Singapore (018982) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX , and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Underta… | f5c4610a4466424ce418b1ef069121da1ac9cb4d |
| 16 | 16 16 | 1 | 1002 1002 | 16 | Jade E-Services Singapore Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Jade%20E-Services%20Singapore%20Pte%20Ltd | 2022-04-21 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 September 2021 from Jade E-Services Singapore Pte. Ltd. (“Organisation”) following an incident where a marketing email was wrongly sent, as a result of an employee’s lapse. The marketing email was sent to the email addresses belonging to 456,868 individuals who had withdrew their consent to receive such marketing emails. The recipients included 165 individuals who had previously requested for their account to be terminated. It was established that the Organisation lacked sufficiently robust processes to identify and correct any human error by their employees in the use of its system. The Organisation also did not have sufficiently robust retention policies. This resulted in the retention of email addresses of individuals who had unsubscribed to the Organisation’s newsletter and did not have any account with the Organisation. Remedial Actions After the incident, as part of a remediation plan, the Organisation: (a) immediately stopped any further sending of automated emails that had yet to be processed; (b) corrected the system settings; (c) implemented an additional layer of approval for all automated emails that have been modified by an employee to prevent erroneous changes; (d) sent apology emails to individuals who had received the erroneous emails; and (e) issued social media communications to inform all customers of the incident. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation to improve its personal data protection practices, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 3 December 2021 (the “Undertaking”). The Undertaking provided that the Organisation was to complete the implementation of its remediation plan to develop and implement an automated feature to trigger anonymisation of email addresse… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Jade-E-Services-Singapore-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Jade E-Services Singapore Pte. Ltd. UEN: 201134432E Registered Address: 51 Bras Basah Road #07-01/04, Singapore 189554 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be acc… | 6f7af83f1a2722030e743fdb20337841c16468e0 |
| 17 | 17 17 | 1 | 1002 1002 | 17 | Singhealth Polyclinics | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-SingHealth-Polyclinics | 2022-06-16 | Background The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits. It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications. Remedial Actions After the incident, as part of a remediation plan, SHP: (a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information; (b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and (c) rolled out additional processes to reduce the risk of loss of hardcopy documents. Undertaking Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”). The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications. In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies. SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking. Please click here to view the Undert… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Singhealth-Polyclinics-2022.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SingHealth Polyclinics UEN: 52928775K Registered Address: 167 Jalan Bukit Merah #15-10 Connection One, Singapore 150167 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 7 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking … | 2bced216336258bd3352aaacb04da91d11c52603 |
| 18 | 18 18 | 1 | 1002 1002 | 18 | HSL Constructor Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20HSL%20Constructor%20Pte%20Ltd | 2022-07-14 | Background The Personal Data Protection Commission (the “Commission”) was notified by HSL Constructor Pte Ltd (“HSL”) on 7 October 2021 that it was subject to ransomware attack on 30 September 2021. As a result of the attack, 3 of its servers and a Network Attached Storage (“NAS”) were encrypted by ransomware. Personal data of 758 current and former HSL employees were encrypted. The personal data included their name, NRIC number, residential address, email address, family information, salary information and medical information. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to HSL’s network by exploiting the vulnerabilities present in the outdated software used on 2 of its servers, or using compromised credentials. Remedial Actions After the incident, as part of a remediation plan, HSL: (a) Implemented multifactor authentication for all administrator access, for users with administrative privileges, and for accounts with access to sensitive data/ systems; (b) Supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (c) Decommissioned all servers running Windows Server 2008 R2 and below; (d) Installed endpoint protection on all servers; (e) Patched all servers and firewall; (f) Reset all admin account passwords; and (g) Closed unused ports on its firewall. Undertaking Having considered the circumstances of the case, including the remedial steps taken by HSL to improve its data protection practices, the Commission accepted an undertaking from HSL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2022 (the “Undertaking”). HSL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that HSL has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---HSL-Constructor-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: HSL Constructor Pte Ltd UEN: 199405996K Registered Address: 42D Penjuru Road, HSL Waterfront @ Penjuru, Singapore 609162 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA and ; (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to … | e25e24fa4ddf72cadda7e560f55c76fcda0bf9f7 |
| 19 | 19 19 | 1 | 1002 1002 | 19 | Asia Petworld Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Asia%20Petworld%20Pte%20Ltd | 2022-07-14 | Background The Personal Data Protection Commission (the “Commission”) was notified by Asia Petworld Pte. Ltd. (“APPL”) on 8 September 2021 that its systems had been subjected to unauthorized access. The threat actor(s) had deleted APPL’s servers, including its backup servers and backup data, made mass PayPal payments and Airwallex bank transfers from the personal accounts belonging to APPL’s senior management, and potentially accessed employee payroll sheets in an email account belonging to APPL’s senior management. Personal data of about 21,000 customers was potentially disclosed. The personal data affected included their names, addresses, telephone numbers and email addresses. In addition, the personal data of 60 employees was also affected. The personal data included their names, dates of birth, NRIC number/FIN, bank account numbers and salaries credited. The Commission noted that APPL has since recovered the data via backup, as of 12 July 2021. It was established that APPL did not have adequate processes in place to protect the personal data in its possession. Remedial Actions After the incident, as part of a remediation plan, APPL: (a) reformatted each PC and desktop in its warehouse and office and installed a clean Windows 10 environment; (b) reset all Windows passwords and implemented a password length of at least 20 character long with complex requirements. Users were also reminded not to store passwords in plain text. Further, APPL also applied a password on documents containing personal data when transmitted over the internet; (c) enabled 2FA on all available applications and services; (d) implemented staff training to enhance knowledge in personal data, safety and cyber security knowledge; and (e) hardened system access including enhancing access controls, performing regular patching etc. Undertaking Having considered the circumstances of the case, including the remedial steps taken by APPL to improve its data protection practices, the Commission accepted an undertaking from APPL to imp… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Asia-Petworld-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Asia Petworld Pte. Ltd. UEN: 201409741H Registered Address: 2 Woodlands Sector 1, #03-18, Woodlands Spectrum, Singapore 738068 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may … | 5db9ed6a1f5437710c12be609dcf9f02102f6427 |
| 20 | 20 20 | 1 | 1002 1002 | 20 | “K” Line Pte Ltd, "K" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-k-line-pte-ltd-k-line-ship-management-singapore-pte-ltd-and-k-line-singapore-pte-ltd | 2022-08-11 | Background On 3 April 2021, “K” Line Pte Ltd, "K" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd (the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) that they had been subjected to malware attacks. These three related Organisations are Singapore registered subsidiaries of Kawasaki Kisen Kaisha Ltd, a foreign registered holding company. On 18 March 2021, the Organisations were informed of a cyber incident by an overseas affiliate, also a subsidiary of Kawasaki Kisen Kaisha Ltd. An account belonging to the affiliate, which had high privilege and access rights was compromised in the incident. The compromised account was then used to launch malware attacks on the Organisations’ IT environment in Singapore. In total, the personal data of about 2,148 individuals, which included the current and ex-employees and scholarship applicants, from these three Organisations was affected. The personal data included the name, address, NRIC number, passport number, nationality, photograph, family details, medical information and bank account number. Remedial Actions After the incident, as part of a remediation plan, the Organisations: (a) Reinforced the use of built-in password protection capability for sensitive documents and use of desktop encryption tool by all staff. The Organisations also supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (b) Reviewed the Access Control List for network traffic between the Organisations and their affiliates; (c) Reviewed the administrative rights and access of the servers between the Organisations and their affiliates; (d) Changed their password policy settings and a global exercise to update all users and system account credential; (e) Employed cybersecurity analyst to perform Security alerts triage and IT security projects; (f) Implemented 2FA for servers remote access; (g) Implemented 2FA for remote access by user via Virtual Private Network (VPN); (h) Co… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-K-Line-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: UEN: 199902703D Registered Address: 1 Wallich Street #07-01 Guoco Tower Singapore 078881 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertakin… | 4c1701b841cedca46f697ae64d74d83aa24c9a81 |
| 21 | 21 21 | 1 | 1002 1002 | 21 | Inmagine Lab Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Inmagine%20Lab%20Pte%20Ltd | 2022-08-11 | Background The Personal Data Protection Commission (the “Commission”) received two data breach notifications on 13 November 2020 and 26 January 2021 from Inmagine Lab Pte Ltd (“Organisation”) regarding unauthorised access to two of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated. The datasets affected included the names, addresses, email addresses and phone numbers. It was established that the Organisation (a) lacked sufficiently robust security assessment policy, log retention policy and asset management processes, (b) had no intrusion detection or prevention systems in place and (c) operated on an outdated operating system. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Developed a vulnerability assessment policy; (b) Developed an incident response plan; (c) Reviewed its log retention policy; (d) Created an asset list for the tracking of an inventory of its systems; (e) Implemented intrusion, detection and prevention systems; (f) Reviewed, compiled and updated all its systems to the latest operating system; and (g) Adopted additional security such as two-factor authentication (“2FA”). Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking on 23 March 2022 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking provided that the Organisation was to complete the implementation of its remediation plan. This included the development of various policies and implementation of the intrusion, detection and prevention systems. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to … | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Inmagine-Lab-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Inmagine Lab Pte Ltd. UEN: 201532639M Registered Address: 11 Collyer Quay #17-00, The Arcade, Singapore 049317 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the (c) 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. … | e9955fc20703531f5d24dc55529bacc3c881d32b |
| 22 | 22 22 | 1 | 1002 1002 | 22 | The National University of Singapore Society | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20The%20National%20University%20of%20Singapore%20Society | 2022-08-11 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 8 October 2021 from The National University of Singapore Society (“NUSS”). NUSS stated that its website had been subjected to a SQL injection attack sometime between 6 and 7 October 2021. The personal data of 3,725 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, gender, date of birth, membership number, marital status, education details and motor vehicle registration number. It was established that NUSS had (a) inadequate knowledge of the web server hosting its website, (b) inadequate security reviews to identify vulnerabilities within its website, (c) lack of clauses within its contract with its vendors to ensure compliance with the PDPA and (d) there had been an overreliance on its IT vendor to maintain the security of the web server hosting its website. Remedial Actions After the incident, as part of a remediation plan, NUSS had: (a) Ensured that no personal data was stored at its web server; (b) Fixed all vulnerabilities identified in its forensics report; (c) Conducted a penetration test; (d) Established checklists, procedures and templates for 3rd party vendors; (e) Migrated its website to a virtual private server; and (f) Revamped its website. Undertaking Having considered the circumstances of the case, including the remedial steps taken by NUSS to improve its personal data protection practices, the Commission accepted an undertaking from NUSS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 December 2021 (the “Undertaking”). NUSS has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that NUSS has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---The-National-University-of-Singapore-Society.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: The National University of Singapore Society UEN: S61SS0139H Registered Address: Kent Ridge Guild House, 9 Kent Ridge Drive, #01-00 Singapore 119241 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX , and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in whi… | d629f1064db6febe56753dbba1dcc986f50ba35e |
| 23 | 23 23 | 1 | 1002 1002 | 23 | Murata Machinery Singapore Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Murata-Machinery-Singapore-Pte-Ltd | 2022-11-18 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 1 April 2022 from Murata Machinery Singapore Pte Ltd (“Organisation”) regarding a ransomware attack on its back-end servers on 31 May 2022, causing personal data stored within to be encrypted. The personal data of 200 individuals affected included names, addresses, email addresses, contact numbers, NRIC/FIN and passport numbers, date of birth, salary and bank account numbers. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Replaced existing firewall and VPN client with more complete security features; (b) Implemented MFA before re-allowing use of VPN access into its server and a lockout threshold of 5 failed attempts for the VPN clients’ logins as an added security; (c) Restricted Remote Desktop Protocol (“RDP”) as a default setting to disallow remote access to its backend servers on regular days and only allowed RDP for planned maintenance tasks; (d) Implemented automated offline backups of the contents of the server in the form of a tape drive; (e) Implemented regular manual data backup to encrypted hard disks that will be kept under lock and key; (f) Deployed suitable encryption software to encrypt server directories containing personal data; (g) Periodically off-load low use personal data to an encrypted external hard disk ti be kept under lock and key offline; (h) Engaged vendor to regularly update and maintain its firewall, VPN client, to monitor traffic of its IT network for illegal access and to fulfill the following: i. Conduct regular audit to computer devices to ensure software and OS updated and patched; ii. Conduct regular review and audit to domain user accounts and computer devices to cleanup unused accounts; iii. Implemented local administrator password solution for domain user computer devices; and iv. Enforced server message block signing to encrypt traffic between domain user computer devices and backend servers… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Murata-Machinery-Singapore-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: MURATA MACHINERY SINGAPORE PTE LTD UEN: 198800649D Registered Address: 69 Ubi Crescent #06-01, CES Building Singapore 408561 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Or… | 748eaf31dc1754bd093f91f207fc70c9fa6e39b6 |
| 24 | 24 24 | 1 | 1002 1002 | 24 | Nippon Express Group | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Nippon-Express-Group | 2023-01-13 | Background The Personal Data Protection Commission (the “Commission”) received data breach notifications on 25 November 2021 from Nippon Express (South Asia & Oceania) Pte Ltd, Nippon Express (Singapore) Pte Ltd, NEX Global Engineering Pte Ltd (“Nippon Express Group”). Nippon Express Group was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by the Nippon Express (South Asia & Oceania) Pte Ltd (“NESO”) and contained not just the personal data of individuals from NESO, but also the personal data of individuals from Nippon Express (Singapore) Pte Ltd and NEX Global Engineering Pte Ltd. The personal data of 1,077 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, passport numbers, photographs, date of birth, health information and financial information. It was established that Nippon Express Group had: (a) Lack of MFA for administrative and remote access to all systems; and (b) Inadequate security reviews to identify vulnerabilites within its infrastructure. Remedial Actions After the incident, as part of a remediation plan, Nippon Express Group had: (a) Implemented MFA for all administrative and remote access; (b) Reviewed Active Directory accounts; (c) Performed an external and internal vulnerability assessment; (d) Ensured all software and operating systems updated with patches; (e) Ensured the usage of strong passwords; (f) Implemented enterprise-grade anti-virus software; (g) Implemented 3-2-1 backup rule; and (h) Remove remote access tools. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Nippon Express Group to improve its personal data protection practices, the Commission accepted an undertaking from Nippon Express Group to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 July 2022 (the “Unde… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Nippon-Express-Group.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Nippon Express (Singapore) Pte. Ltd. UEN: 197301583G Registered Address: 5C Toh Guan Road East, Singapore 608828 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 9 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considere… | b0aa780c18264394a6da205adfda72774c3d9eac |
| 25 | 25 25 | 1 | 1002 1002 | 25 | Putien Restaurant Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Pu-Tien-Restaurant-Pte-Ltd | 2023-03-10 | Background The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the "Organisation") on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen adminstrator account credentials to enture the Organisation's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 350 employees' personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. Remedial Actions To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage and secure disposal of data and incident response; (b) Implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data backups; (c) Conduct of IT audit reviews on: (i) Computer devices, hardware and software assets to ensure software and operating systems were updated and patched; (ii) User accounts to ensure all rights assigned were necessary; and (d) Conduct of cyber and data protection awareness training for key employees who handle personal data. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act (2012). The undertaking was executed on 28 July 2022 (the "Undertaking"). The organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the m… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Pu-Tien-Restaurant-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Pu Tien Restaurant Pte Ltd UEN: 200001660W Registered Address: 127 Kitchener Road, Singapore 208514 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowled… | 27d58389da826defe1304a57ae3e30c81a71e109 |
| 26 | 26 26 | 1 | 1002 1002 | 26 | Tat Hong Heavyequipment Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Tat-Hong-Heavyequipment-Pte-Ltd | 2023-04-17 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 July 2022 from Tat Hong Heavyequipment (Pte.) Ltd (“Organisation”) regarding a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storage were affected. The personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Hardening of perimeter firewall and fine tune firewall configurations; (b) Periodic vulnerability assessment and penetration testing done annually or after major systems upgrades; (c) Redesign network so that all traffic will through the main firewall for better visibility, monitoring and logging; (d) Implement multi-factor authentication for privileges and high-risk connections; (e) Ensure that all active PC and server are installed with Endpoint Detection and Response; (f) Upgrade existing HRMS that complies with latest industry standard encryption alogrithm; (g) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 October 2022 (the “Undertaking”). The Organisation has since updated the Commissio… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Tat-Hong-Heavyequipment-(Pte,-d-,)-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Tat Hong Heavyequipment (Pte.) Ltd. UEN: 197801297W Registered Address:82 Ubi Avenue 4 #05-01 Edward Boustead Centre Singapore 408832 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.… | 3eb306d180ed2bfa0c7d30ee5776f5cfc124f9af |
| 27 | 27 27 | 1 | 1002 1002 | 27 | SpeeDoc Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Speedoc-Pte-Ltd | 2023-05-11 | Background The Personal Data Protection Commission (the “Commission”) was informed on 27 October 2020 that SpeeDoc Pte. Ltd's (“Organisation”) AWS S3 bucket was incorrectly configured which enabled public access to the personal data stored within. The personal data of 12,652 individuals, including their names, phone numbers, email addresses was potentially publicly accessible. Of the 12,652 individuals affected, the NRIC numbers of 22 individuals, laboratory test results of 34 individuals, profile pictures of 492 individuals, and photos of their medication and symptoms (rashes and wounds) submitted by 157 individuals to the Organisation was also made potentially publicly accessible. Remedial Actions To prevent recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Conducting an IT security audit to identify and rectify security vulnerabilities in its network and systems; (b) Attaining the ISO27001 Certification to ensure that its information systems are aligned with the industry's best practices and protected against malware and loss of data; (c) Sending its key team members to undergo relevant security and data protection training on Amazon Web Services; and (d) Sending its employees to attend cyber and data protection awareness training to ensure that they are equipped with the relevant knowledge to identify and mitigate security threats. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 28 April 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertak… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Speedoc-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SpeeDoc Pte Ltd UEN: 201705599R Registered Address: 991C Alexandra Road #01-13B Singapore 119971 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the Page 1 of 10 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation… | bf70c38493de69470079faced5425078cff0e4f4 |
| 28 | 28 28 | 1 | 1002 1002 | 28 | Simmons (Southeast Asia) Private Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Simmons-Southeast-Asia-Private-Limited | 2023-06-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited ("SPL") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware. The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work. Remedial Actions After the incident, as part of a remediation plan, SPL put in place measures including: (a) Reformatted and restored the test server; (b) Closed the RDP port; (c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access; (d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server; (e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form; (f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised; (g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy; (… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Simmons-Southeast-Asia-Limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Simmons (Southeast Asia) Private Limited UEN: 199303272D Registered Address: 300 Beach Road, #25-03, The Concourse, Singapore 199555 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation Page 1 of 16 appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | 9864e1f1b4c4b0f2d826df52f80381dbe77d37a1 |
| 29 | 29 29 | 1 | 1002 1002 | 29 | Metropolis Security Systems Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Metropolis-Security-Systems-Pte-Ltd | 2023-06-22 | Background In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port. The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder; (b) Review the classification of information in its asset register at least once a year; (c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012; (d) Conduct adequate internal tests and penetration tests; and (e) Embark on ISO27001 implementation with an external consultant. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Metropolis-Security-Systems-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Metropolis Security Systems Pte Ltd UEN: 201008279K Registered Address: 20 Sin Ming Lane #08-63 Midview City, Singapore (573968) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 9 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | d7c174c2117040dd0b42a602d63206df55b6e2ca |
| 30 | 30 30 | 1 | 1002 1002 | 30 | Employment and Employability Institute Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-and-Employability-Institute-Pte-Ltd | 2023-07-20 | Background The Personal Data Protection Commission (the “Commission”) was notified by Employment and Employability Institute Pte. Ltd. on 25 March 2021 of a personal data breach involving its contact centre and data intermediary, i-vic International Pte. Ltd. (“i-vic). Investigations revealed that an employee of i-vic had most likely fallen prey to a phishing attack. As a result, a malicious actor successfully downloaded the personal data belonging to 31,002 individuals, from 2 email accounts belonging to the i-vic employee (the “Incident”).The personal data affected included the individuals’ partial or full NRIC, date of birth, telephone number, email address, residential address, highest qualification, and employment details. Further investigations found that i-vic had reasonable security measures in place to protect the personal data that it processes on behalf of e2i. i-vic had anti-virus protection, anti-phishing protection, regular anti-virus scans, security audits and conducted regular patches for its IT system. In fact, i-vic had existing anti-malware software which should have been able to detect the particular malware used in the Incident, but somehow failed to do so. After the Incident, i-vic purchased and deployed additional anti-malware software. Finally, the Commission found that i-vic had comprehensive policies and guidelines in place to protect personal data. While i-vic had reasonable security arrangements in place to protect the personal data it processes, the Commission established that this was entirely on i-vic’s account and not because of e2i’s bidding. e2i had failed to stipulate any specific data protection requirements on i-vic in their contract. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. i-vic produced evidence of several occasions where e2i’s employees had sent personal data to i-vic without any encryption or protection, which was against e2i’s standard operating procedures. Case No. DP-2106-B8424 A complainant alerted the Co… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2023.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Employment and Employability Pte. Ltd. UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, 1 including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undert… | 2f98cf8d92acf8aa9b388d7a13d5ba760fc3a799 |
| 31 | 31 31 | 1 | 1002 1002 | 31 | OG Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-OG-Pte-Ltd | 2023-08-16 | Background On 4 January 2022, OG Private Limited (the "Organisation") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data. Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained "dummy data" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals. The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd ("Poket") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) SQL injection prevention enhancement; (b) Streamline data storage; (c) Harden web portal security; (d) Implement annual security review; and (e) Tighten protocols for contracting with 3rd party vendors. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the "Undertaking"). The Organisation has since updated the Commission that it has fully implemented its remediatio… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---OG-Private-Limited.pdf | ecad4be417ebe545c1eff20adaf85c2c556abec1 | |
| 32 | 32 32 | 1 | 1003 1003 | 32 | Starbucks Coffee Singapore Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Starbucks-Coffee-Singapore-Pte-Ltd | 2023-11-10 | Background On 13 September 2022, the Personal Data Protection Commission (the “Commission”) reached out to Starbucks Coffee Singapore Pte. Ltd. (the “Organisation”) after receiving information that personal data purporting to belong to the Organisation’s customers were available for sale online. The Organisation lodged a data breach notification to the Commission on 15 September 2022 and confirmed that its customer database, managed by its data intermediary, Ascentis Pte. Ltd. (“Ascentis”), was compromised by an unknown threat actor. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Investigations revealed that the personal data breach could not be directly attributed to the Organisation but had occurred due to internal lapses on Ascentis’ end. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for the Organisation. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a)Requested its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database; (b) Reset the application programming interface as a precautionary measure; (c) Audited the processes of its vendor and require them to improve on its monitoring and security processes; (d) Reviewed its existing contracts with 3rd party vendors; and (e) Notified all affected customers. Undertaking The Commission accepted the Undertaking as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, the Organisation could further improve on the con… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Starbucks-Coffee-Singapore-Pte-Ltd_2023.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 10 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Starbucks Coffee Singapore Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 10 SCHEDULE A Page 3 of 10 SUMMARY OF FACTS 1. On 15 September 2022, the Commission was informed that personal data purported to be from the Organisation’s Singapore customers were available on the dark web. 2. Investigation revealed that the above-mentioned personal data were indeed from the Organisation’s customer database and this database were handled by Ascentis Pte. Ltd (“Ascentis”), an external vendor contracted to provide IT solutions since year 2014. 3. … | d943300e94b56ecd831bea928bad4a4dc59f5be6 |
| 33 | 31 31 | 2 | 1004 1004 | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: OG Private Limited UEN: 196200157H Registered Address: 60 Albert Street #05-01 (189969) OG Albert Complex, Singapore (hereinafter referred to as the “Organisation’). By signing this Undertaking, the above-named Organisation matters stated herein and undertakes to the Commission 1. DEFINITIONS 1.1 In this Undertaking: acknowledges the in the terms set out herein. (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts Ill, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) |The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) Asaresult of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48] or 48J of the PDPA. (c) |The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1of 11 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) 2.2 Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be… | 0e554bf7a44e2dbcec5a653b81c3b536c39441ae | ||||||
| 34 | 33 33 | 1 | 1006 1006 | 33 | AEM Holdings Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-AEM-Holdings-Ltd | 2023-12-14 | Background The Personal Data Protection Commission (the "Commission") was notified by AEM Holdings Ltd. ("AEM") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network ("VPN") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information. The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the "Incident"). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints. Remedial Actions After the incident, as part of a remediation plan, AEM put in place the following measures: (a) Implemented a third-party vendor cybersecurity risk management policy; (b) Implemented standard contractual clauses for contracting with third-party vendors; (c) Implemented regular cybersecurity reviews; and (d) Reviewed and enhanced its data classification policy. The Commission was also satisfied with the additional actions undertaken by AEM. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the "Undertaking"). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consiste… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---AEM-Holdings-Ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2207-9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 8 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) AEM Holdings Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 8 SCHEDULE A Page 3 of 8 SUMMARY OF FACTS 1. On 1 July 2022, the PDPC was informed by the Organisation about the deployment of ransomware on its network. 2. As a result, the personal data of 18,135 individuals including their names, personal contact information, identification numbers, employment records, date of birth, race, religion, COVID-19 test results and vaccination information, shareholding information, employee bank account number, profile photographs and fingerprints were encrypted and/or exf… | 03a494028894bec56731c7ee428de8631a3d85de |
| 35 | 34 34 | 1 | 1007 1007 | 1 | Grabcar Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-grabcar-pte-ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 14 June 2018 from Grabcar Pte Ltd (“Grabcar”). Grabcar had inadvertently sent an email report on 6 June 2018 (the “Report”) to 9 fleet group partners. The Report contained the name, NRIC number, telephone number, and vehicle rental details of 110,931 Grabcar drivers. Each fleet partner was supposed to receive a filtered copy of the report, containing only the information of the drivers under its fleet. However, the Report contained information of drivers that were not in the respective fleet partner’s fleet. It was established that the inadvertent disclosure occurred due to an error in the script written by a software provider engaged by Grabcar. On 4 June 2018, Grabcar had requested the software provider to replicate the schedule for sending out the email report to accommodate a new version of the report. However, the software provider made a mistake in the script, which led to the email filter being set to “all”. Remedial Actions Each fleet partner was bound by confidentiality clauses in their partnership agreement with Grabcar, which required the fleet partner to protect personal data received from Grabcar. Upon discovering the inadvertent disclosure, Grabcar contacted the fleet partners and requested that they delete the email containing the Report. The fleet partners confirmed to Grabcar that they had done so, within 40 mins of the email being sent. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from Grabcar to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 23 March 2020 (the “Undertaking”). The Undertaking provides that Grabcar was to: (a) review its change management process and to ensure that reasonable security checks are made before deploying such changes; (b) propose an implementation plan for fulfilling the above; (c) once the Commission approves the proposed implementation plan, comply w… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---grabcar.pdf | LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Grabcar Pte. Ltd. UEN: 201427085E Registered Address: 6 Shenton Way, #38-01, OUE Downtown, Singapore 068809 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 21 February 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of the Organisation, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to the Organisation. (c) The Organisation agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. 1 (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that the Organisation has ma… | ae64938eec857091147b00d11a0e51f52a3f1c62 |
| 36 | 35 35 | 1 | 1007 1007 | 2 | Employment & Employability Institute Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-employment-employability-institute-pte-ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed. It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked. Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”). The Undertaking provides that e2i was to: (a) review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately; (c) propose an implementation plan for fulfilling the above; (d) once the Comm… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---e2i-2020.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: Employment and Employability Institute Pte Ltd UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 By signing this Undertaking, Employment and Employability Institute Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 17 October 2019 from the Commission to Employment and Employability Institute Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “E2i” means Employment and Employability Institute Pte Ltd, a company incorporated in Singapore (UEN: 200704772C). Commissioner for Personal Data Page 1 of 5 2. ACKNOWLEDGEMENTS 2.1. E2i hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of E2i, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to E2i. (c) E2i agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) As a result of any non-compliance with the PDPA by an organisation, there… | 0eaf15b2ce37ffc0a534d8a203d1d5374b201e21 |
| 37 | 36 36 | 1 | 1007 1007 | 3 | HSBC Bank (Singapore) Limited | https://www.pdpc.gov.sg/undertakings/undertaking-by-hsbc-bank-(singapore)-limited | 2020-09-10 | Background On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018. As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident. Remedial Actions HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”). The Undertaking provides that HSBC was to: (a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customer… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---hsbc.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: HSBC Bank (Singapore) Limited UEN: 201420624K Registered Address: 21 Collyer Quay #13-02 HSBC Building, Singapore 049320 By signing this Undertaking, HSBC Bank (Singapore) Limited acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “PDPC” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 12 December 2019 from the Commission to HSBC Bank (Singapore) Limited concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “HSBC” means HSBC Bank (Singapore) Limited, a company incorporated in Singapore (UEN: 201420624K). Commissioner for Personal Data Page 1 of 6 2. ACKNOWLEDGEMENTS 2.1. HSBC hereby acknowledges the following matters: (a) PDPC has carried out an investigation into certain acts and practices of HSBC involving the erroneous sending of electronic direct mails (the “Incident”). (b) The facts and circumstances relating to the Commission’s investigations are set out in the Commission’s Letter, a copy of which has been furnished to HSBC. (c) HSBC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts and allegations, and that it has done so in the form of the following documents: i. Response to “NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 20 June 2018; ii. Response to “SECOND NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION… | 97e17970cda0be799c6088ae042666fd162b46ef |
| 38 | 37 37 | 1 | 1007 1007 | 4 | NEC Asia Pacific Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-nec-asia-pacific-pte-ltd | 2021-01-14 | Background On 28 August 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from JK TruData Solutions Pte Ltd (“JK TruData”) regarding a print job request via email (the “Email”) that it had received from NEC Asia Pacific Pte Ltd (“NEC”). The Email enclosed personal data that had been received by NEC from the common end customer (“Customer”) of both NEC and JK TruData (the “Incident”). JK TruData informed the Commission that it was not the intended recipient of the Email. The Commission’s investigations showed that NEC employed a two-step process when sending relevant data to appointed printing vendors: (a) first, NEC would send the relevant data to the printing agent via an automated email function; (b) thereafter, NEC would follow up manually with an email to confirm the receipt of the automated email; NEC’s SOP required the staff doing this to check that the recipient was correct before sending the email, and for all confidential data to be encrypted. In this Incident, a mistake was made at the second step – an NEC employee sent the follow-up email (with the same content and attachment contained in the automated email without any encryption) to JK TruData instead of the correct printing agent. Although the Commission’s investigation findings suggested that NEC had not fully complied with its obligations under the PDPA, the Commission recognised that there was limited impact from the disclosure. The Commission found that disclosure of personal data had been limited to two authorised printing vendors of the Customer, one of which was JK TruData themselves, who were already bound in contract to the Customer to keep such information confidential. JK TruData also was already familiar with the types of personal data contained within the attachment and there was no further disclosure by NEC beyond JK TruData. The Deputy Commissioner also recognised that the incident did not arise as a result of the lack of controls but that the controls put in place by NEC were no… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---nec.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: NEC Asia Pacific Pte Ltd UEN: 197700754G Registered Address: 80 Bendemeer Road #05-01/02, Hyflux Innovation Centre Singapore 339949 By signing this Undertaking, NEC Asia Pacific Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commission’s Letter” means the letter dated 4 April 2018 from the Commission to NEC Asia Pacific Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (c) “Data Protection Provisions” means Parts III to VI of the PDPA. (d) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (e) “Time Frame” has the meaning given to it in paragraph 3.2. (f) “NEC” means NEC Asia Pacific Pte Ltd. 2. ACKNOWLEDGEMENTS 2.1. NEC hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of NEC, which allegedly infringe one or more provisions of the Data Protection Provisions. (b) The detailed facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to NEC. (c) NEC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) The Commission’s investigation findings suggest that NEC has not fully complied with its obligations under the PDPA. (e) As a result of the alleged non-compliance with the PDPA, the Commission has a number of enforcement options under the PDPA, including the option to give a … | 6e2ac5c4ce7bf96d73853e33147bbb7e11faf02d |
| 39 | 38 38 | 1 | 1007 1007 | 5 | StarMed Specialist Centre Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-starmed-specialist-centre-pte-ltd | 2021-02-18 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data. It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords. Remedial Actions After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”). The Undertaking provides that StarMed was to: (a) review password policies relating to StarMed’s servers and IT equipment storing personal data; (b) review process of login authentication on StarMed’s servers and IT equipment storing personal data; (c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts; (d) once the Commission approves… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---starmed.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: StarMed Specialist Centre Pte Ltd UEN: 201629251M Registered Address: 7 Temasek Boulevard #12-10 Suntec Tower One Singapore 038987 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated [Date] from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and … | 05cb56a107d82eeeed481ae4c5479a6622f3f043 |
| 40 | 39 39 | 1 | 1007 1007 | 6 | Manulife (Singapore) Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-manulife-singapore-pte-ltd | 2021-04-15 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 March 2020 from Manulife (Singapore) Pte Ltd (“MLS”), informing that a representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020. The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios. It was found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars and quarterly bulletins. Remedial Actions After the incident, MLS notified all affected individuals of the incident and monitored their insurance policies for unusual requests and/or transactions for a period of six months. A refresher training on privacy and data security was also conducted for MLS representatives. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from MLS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 January 2021 (the “Undertaking”). The Undertaking provides that MLS was to: (a) take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A of the Undertaking; and (b) provide a status report to the Commission at a time requested by the Commission confirming whether MLS has fulfilled each of the specific measures set out in the implementation plan. MLS has since provided the Commission with the status report referred to at paragraph 5(b) above. The Commission has reviewed the matter and determined that MLS h… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---manulife-singapore.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Manulife (Singapore) Pte Ltd UEN: 198002116D Registered Address: 8 Cross Street, #15-01, Manulife Tower, Singapore 048424 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 4 January 2021 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has several enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 6 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circums… | a2ca94d60445d4351bbe0562397855f89f7b11fb |
| 41 | 40 40 | 1 | 1007 1007 | 7 | DLI Asia Pacific Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-dli-asia-pacific-pte-ltd | 2021-05-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 18 June 2020 from DLI Asia Pacific Pte Ltd (“DLIAP”), informing that a ransomware attack had infected one of its file servers (“the File Server”), affecting the personal data of approximately 848 individuals. The affected datasets comprised the affected individuals’ names, addresses, contact numbers, dates of birth, marital status, insurance policy details, insurance premiums, passport copies, education background, employment details and/or salary information. It was established that DLIAP had not implemented adequate security measures to protect the personal data in the File Server at the time of the incident. In particular, there were insufficient controls to regulate access to the File Server via a virtual private network (“VPN”). The server hosting the VPN had not been patched, and the same credentials were used to access both the File Server and the VPN . Remedial Actions After the incident, as part of a remediation plan, DLIAP : (a) Implemented multi-factor authentication to strengthen VPN login; (b) Implemented different user accounts for VPN and File Server access; (c) Implemented a virtual desktop for its IT vendor with activity monitoring; (d) Engaged a security consultant to review its current IT infrastructure and propose enhancements; (e) Implemented additional security monitoring by a different IT vendor; (f) Improved patch update & management processes; (g) Established thorough file management rules for cloud storage of data; (h) Implemented email rules including password rules for attachments; and (i) Implemented compliance training for DLIAP’s employees; Undertaking The Commission recognises that DLIAP has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from DLIAP to improve its compliance with the Personal Data Protection Act 2012. The… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---dli-asia-pacific-pte-ltd.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: DLI Asia Pacific Pte Ltd UEN: 201431235K Registered Address: 12 Marina view #24-03/04 Asia Square Tower 2 S(018961) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 1 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circum… | 109d9f930024d8e308089714d5e6f7305c6ffcad |
| 42 | 41 41 | 1 | 1007 1007 | 8 | Seafront Support Company Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-seafront-support-company-pte-ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details. It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices. Remedial Actions After the incident, as part of a remediation plan, Seafront Support: (a) engaged an external IT consultant to manage its IT system; (b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system; (c) developed and implemented an IT security policy; (d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and (e) instructed staff to back-up their files daily on separate cloud-based storage. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”). The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading it… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---seafront.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Seafront Support Company Pte. Ltd. UEN: 201106511C Registered Address: 102E, Pasir Panjang Road, #02-08, Citilink Warehouse Complex, Singapore 118529 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 25 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered … | dc0812cc464362cf88d182847348caea4c1b67a8 |
| 43 | 42 42 | 1 | 1007 1007 | 9 | Platinum Yoga Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-platinum-yoga-pte-ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 29 October 2020 from Platinum Yoga Pte. Ltd. (“Platinum Yoga”), informing of a suspected alleged act of mischief by a terminated employee of Platinum Yoga, who gained unauthorised access to its Customer Relationship Management (“CRM”) system and Facebook account. The CRM system held the email addresses and photographs of Platinum Yoga’s members. Consequently, photographs of 25 individuals were disclosed in an unauthorised Facebook post, and the email addresses of 58 individuals were disclosed in an email impersonating Platinum Yoga. It was established that Platinum Yoga had 1) lacked access restriction to the accounts it had which included the CRM system and its Facebook account; 2) lacked dedicated personnel to ensure and enforce password changes to the CRM system and Facebook account periodically or whenever necessary, among its employees; and 3) not developed a data protection policy internally. Remedial Actions After the incident, as part of a remediation plan, Platinum Yoga: (a) Implemented access restrictions to the CRM system and other accounts, including access to the CRM system on a need-to-know basis, and 2 Factor Authentication to accounts possible; (b) Ensured that personal data can only be viewed or accessed from its property only; (c) Appointed dedicated team to monitor and ensure password change to the CRM system and other accounts periodically, and whenever necessary, among its employees; (d) Implemented periodic reminders to members on changing of passwords; (e) Implemented quarterly review of its internal data protection policy. Undertaking Having considered the circumstances of the case, including the remediation actions taken by Platinum Yoga to improve its personal data protection practices, the Commission accepted an undertaking from Platinum Yoga to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2021 (the “Undertaking… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---platinum-yoga-pte-ltd.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Platinum Yoga Pte. Ltd. UEN: 201109593N Registered Address: 1 Marine Parade Central, #13-09 Parkway Centre, Singapore 449408 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated <14 January 2021> from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 5 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts an… | ab05e3c39ca6cf0a3e5f3190a9b767c72d542967 |
| 44 | 43 43 | 1 | 1007 1007 | 10 | Assisi Hospice | https://www.pdpc.gov.sg/undertakings/undertaking-by-assisi-hospice | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance. The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases. It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List. Remedial Actions After the incident, as part of the remediation plan, Assisi: (a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead; (b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself; (c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email co… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-assisi-hospice.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Assisi Hospice UEN: 201208993Z Registered Address: 80 Raffles Place, #32-01, UOB Plaza, Singapore 048624 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 15 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission t… | 4096cf46023b55d26565d8f72bd1deef271e0123 |
| 45 | 44 44 | 1 | 1007 1007 | 11 | Thye Hua Kwan Moral Charities Limited | https://www.pdpc.gov.sg/undertakings/undertaking-by-thye-hua-kwan-moral-charities-limited | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 April 2020 from Thye Hua Kwan Moral Charities Limited (“THKMC”), after THKMC discovered that its website was hacked. Investigations revealed that malicious actors had gained access to the web content management system, by altering a web configuration file which had been left in a public directory without protection for the usage of the file. The employee tasked with the administration of the website lacked the requisite technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of 550 volunteers was at risk of unauthorised access. However, investigation by THKMC found no evidence of data loss or access by third party visitors. The types of personal data which were at risk included the volunteers’ names, residential telephone numbers, mobile numbers, email addresses, residential addresses, dates of birth, volunteering experiences, and interests. Remedial Actions After the incident, as part of the remediation plan, THKMC: (a) engaged a professional web development vendor to re-build its website to conform with established web security standards and the Open Web Application Security Project (OWASP) guidelines; (b) took preventive measures to harden the website by subscribing to cyber security threat monitoring software and updating the Firewall IP tables with the blacklisted IPs of past attackers; (c) discontinued the storage of personal data on its new website. The volunteer sign-up page and database were outsourced to a third -party cloud-based volunteer management portal which has a set of security controls to protect the personal data that it collects; (d) migrated internal report submission services from the THKMC internet website to THKMC intranet staff portal, which is a more secured environment; (e) assigned control of website administration (previously administered by its Corporate Communications Department) and operations hos… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-thye-hua-kwan-moral-charities-5-april-2022.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Thye Hua Kwan Moral Charities Limited UEN: 201130733N Registered Address: 1 North Bridge Road, #03-33, High Street Centre, Singapore 179094 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 27 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 6 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the rel… | 9432e7cb9a78382f7fd4320cc6e213f636f50af8 |
| 46 | 45 45 | 1 | 1007 1007 | 12 | Equity Solution Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-equity-solution-pte-ltd | 2021-08-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 February 2021 from Equity Solution Pte Ltd (“ESPL”), informing that ESPL had been subject to a phishing attack after a staff member opened an email containing an excel file with a macro-enabled malware. The personal data of approximately 1,359 individuals was affected. The affected datasets comprised the affected individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information. It was established that (a) ESPL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. Remedial Actions After the incident, as part of a remediation plan, ESPL promptly implemented the following measures: (a) Secured files and documents using password protection; (b) Hardened its operating system; (c) Implemented a strong password protection policy; (d) Reviewed and updated its email usage policy; (e) Implemented training and awareness programmes for its employees; and (f) Reviewed and updated its personal data protection policy.Undertaking Undertaking The Commission recognises that ESPL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from ESPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 8 June 2021 (the “Undertaking”). The Undertaking provided that ESPL was to complete implementation of its remediation plan by subscribing to an email service provider with greater privacy and security features, and enhancing its data security processes. ESPL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined … | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---equity-solution-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Equity Solution Pte Ltd UEN: 201601961Z Registered Address: 16 Kallang Pl #07-03 Singapore (339156) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organis… | d52be26f72bc258dec67103a1871ca420add8ca3 |
| 47 | 46 46 | 1 | 1007 1007 | 13 | MindChamps Preschool Limited | https://www.pdpc.gov.sg/undertakings/undertaking-by-mindchamps-preschool-limited | 2021-09-21 | Background The Personal Data Protection Commission (the “Commission”) received information on 27 February 2020, informing that a dataset containing the personal data of the users of MindChamps Preschool Limited’s (“MindChamps”) mobile application was publicly accessible via an internet link. Personal data of approximately 6,521 individuals were affected, namely, email addresses, login passwords and mobile numbers. In addition, the birth certificate numbers of 607 minors were also at risk of unauthorised disclosure. Remedial Actions After the incident, as part of a remediation plan, MindChamps: (a) engaged an external IT consultant to determine the cause of the incident; (b) performed a password reset for all the user accounts of its mobile application; and (c) migrated all users to a newly designed mobile application. Undertaking Having considered the circumstances of the case, including the remedial steps taken by MindChamps to improve its data protection practices, the Commission accepted an undertaking from MindChamps to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 7 January 2021 (the “Undertaking”). The Undertaking provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. In addition, MindChamps would also conduct training for its employees and ensure their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects. MindChamps has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that MindChamps has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---mindchamps.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: MindChamps PreSchool Limited UEN: 200814577H Registered Address: 6 Raffles Boulevard, #04-100 Marina Square, Singapore 039594 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 23 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts a… | f5fbd6fd197fb327f9ab4020e41cf670291f0c39 |
| 48 | 47 47 | 1 | 1007 1007 | 14 | Fujioh International Trading Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-fujioh-international-trading-pte-ltd | 2021-11-11 | Background The Personal Data Protection Commission (the “Commission”) received information on 24 August 2020 that Fujioh International Trading Pte Ltd’s (“Fujioh”) website had been affected by URL manipulation, resulting in its customers’ personal data being exposed on Fujioh’s online warranty system on its website. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. The personal data of 2,771 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email and telephone number. It was established that Fujioh (a) had application weakness in the receipt submission process of their online warranty system, (b) did not have proper data protection clauses in its contract with its vendor, and (c) had insufficient data protection management. Remedial Actions After the incident, as part of a remediation plan, Fujioh had: (a) introduced session tokens in the online warranty system that expires at the end of each receipt; (b) replaced its online warranty system to fix undetected vulnerabilities; (c) established a Data Protection Management Programme that consisted of drafting of polices and notices, establishment of procedures, templates, data inventory map, training data protection curriculum for employees; and (d) established checklists, procedures and templates for 3rd party vendors. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Fujioh to improve its personal data protection practices, the Commission accepted an undertaking from Fujioh to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2021 (the “Undertaking”). The Undertaking provided that Fujioh was to complete implementation of its remediation plan by replacing its online warranty system to fix undetected vulnerabilities. Fujioh has since updated the Commission th… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---fujioh-international-trading-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Fujioh International Trading Pte Ltd UEN: 199305801D Registered Address: 130 Joo Seng Road, #05-05, Singapore 368357 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted.… | 30c5672277e50039e1bc87c7ff242b31b39bf687 |
| 49 | 15 15 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-jt-legal-llc-5-april-2022.pdf | e0f96785c07a69d04caa7ba7154ae686f571c0a9 | ||||||
| 50 | 16 16 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-jade-e-services-singapore-pte-ltd.pdf | 755085f85cada43b32216282d972a918df7f8984 | ||||||
| 51 | 48 48 | 1 | 1007 1007 | 17 | Singhealth Polyclinics | https://www.pdpc.gov.sg/undertakings/undertaking-by-singhealth-polyclinics | 2022-06-16 | Background The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits. It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications. Remedial Actions After the incident, as part of a remediation plan, SHP: (a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information; (b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and (c) rolled out additional processes to reduce the risk of loss of hardcopy documents. Undertaking Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”). The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications. In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies. SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking. Please click here to view the Undert… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-singhealth-polyclinics-2022.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SingHealth Polyclinics UEN: 52928775K Registered Address: 167 Jalan Bukit Merah #15-10 Connection One, Singapore 150167 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 7 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking … | 855a89aa5c2fc40f13fa2289bb10addf91d9648a |
| 52 | 18 18 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---hsl-constructor-pte-ltd.pdf | 1f9a3ef576b631341c9df76aaa20b90727ed7403 | ||||||
| 53 | 19 19 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-asia-petworld-pte-ltd.pdf | aca59e1d0c98293be56a4c5ec23d7808147963e6 | ||||||
| 54 | 20 20 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking-for-k-line-pte-ltd.pdf | af2b1f405ff91461bff76e5188f99a72384eb58c | ||||||
| 55 | 21 21 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---inmagine-lab-pte-ltd.pdf | c66f31d4d491ef4453c5dd35f098867e35cee7dc | ||||||
| 56 | 22 22 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---the-national-university-of-singapore-society.pdf | 8fbfe80d2b4cebcfa72e1e42befc2b376a7967de | ||||||
| 57 | 23 23 | 2 | 1007 1007 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---murata-machinery-singapore-pte-ltd.pdf | 1646f6433887a09de0c095d795da7e7c76b171d7 | ||||||
| 58 | 49 49 | 1 | 1007 1007 | 24 | Nippon Express Group | https://www.pdpc.gov.sg/undertakings/undertaking-by-nippon-express-group | 2023-01-13 | Background The Personal Data Protection Commission (the “Commission”) received data breach notifications on 25 November 2021 from Nippon Express (South Asia & Oceania) Pte Ltd, Nippon Express (Singapore) Pte Ltd, NEX Global Engineering Pte Ltd (“Nippon Express Group”). Nippon Express Group was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by the Nippon Express (South Asia & Oceania) Pte Ltd (“NESO”) and contained not just the personal data of individuals from NESO, but also the personal data of individuals from Nippon Express (Singapore) Pte Ltd and NEX Global Engineering Pte Ltd. The personal data of 1,077 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, passport numbers, photographs, date of birth, health information and financial information. It was established that Nippon Express Group had: (a) Lack of MFA for administrative and remote access to all systems; and (b) Inadequate security reviews to identify vulnerabilites within its infrastructure. Remedial Actions After the incident, as part of a remediation plan, Nippon Express Group had: (a) Implemented MFA for all administrative and remote access; (b) Reviewed Active Directory accounts; (c) Performed an external and internal vulnerability assessment; (d) Ensured all software and operating systems updated with patches; (e) Ensured the usage of strong passwords; (f) Implemented enterprise-grade anti-virus software; (g) Implemented 3-2-1 backup rule; and (h) Remove remote access tools. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Nippon Express Group to improve its personal data protection practices, the Commission accepted an undertaking from Nippon Express Group to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 July 2022 (the “Unde… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---nippon-express-group.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Nippon Express (Singapore) Pte. Ltd. UEN: 197301583G Registered Address: 5C Toh Guan Road East, Singapore 608828 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 9 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considere… | 8102a9bba262deaa22a41a8a4ed392608f1edf20 |
| 59 | 50 50 | 1 | 1007 1007 | 25 | Putien Restaurant Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-pu-tien-restaurant-pte-ltd | 2023-03-10 | Background The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the "Organisation") on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen adminstrator account credentials to enture the Organisation's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 350 employees' personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. Remedial Actions To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage and secure disposal of data and incident response; (b) Implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data backups; (c) Conduct of IT audit reviews on: (i) Computer devices, hardware and software assets to ensure software and operating systems were updated and patched; (ii) User accounts to ensure all rights assigned were necessary; and (d) Conduct of cyber and data protection awareness training for key employees who handle personal data. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act (2012). The undertaking was executed on 28 July 2022 (the "Undertaking"). The organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the m… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---pu-tien-restaurant-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Pu Tien Restaurant Pte Ltd UEN: 200001660W Registered Address: 127 Kitchener Road, Singapore 208514 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowled… | d2b2904c65c5fadc559c1e4c0a0af348750682eb |
| 60 | 51 51 | 1 | 1007 1007 | 26 | Tat Hong Heavyequipment Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-tat-hong-heavyequipment-pte-ltd | 2023-04-17 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 July 2022 from Tat Hong Heavyequipment (Pte.) Ltd (“Organisation”) regarding a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storage were affected. The personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Hardening of perimeter firewall and fine tune firewall configurations; (b) Periodic vulnerability assessment and penetration testing done annually or after major systems upgrades; (c) Redesign network so that all traffic will through the main firewall for better visibility, monitoring and logging; (d) Implement multi-factor authentication for privileges and high-risk connections; (e) Ensure that all active PC and server are installed with Endpoint Detection and Response; (f) Upgrade existing HRMS that complies with latest industry standard encryption alogrithm; (g) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 October 2022 (the “Undertaking”). The Organisation has since updated the Commissio… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---tat-hong-heavyequipment-(pte,-d-,)-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Tat Hong Heavyequipment (Pte.) Ltd. UEN: 197801297W Registered Address:82 Ubi Avenue 4 #05-01 Edward Boustead Centre Singapore 408832 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.… | 42ce02cd3a1dd73e5cc200a9569b225870aed57a |
| 61 | 52 52 | 1 | 1007 1007 | 27 | SpeeDoc Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-speedoc-pte-ltd | 2023-05-11 | Background The Personal Data Protection Commission (the “Commission”) was informed on 27 October 2020 that SpeeDoc Pte. Ltd's (“Organisation”) AWS S3 bucket was incorrectly configured which enabled public access to the personal data stored within. The personal data of 12,652 individuals, including their names, phone numbers, email addresses was potentially publicly accessible. Of the 12,652 individuals affected, the NRIC numbers of 22 individuals, laboratory test results of 34 individuals, profile pictures of 492 individuals, and photos of their medication and symptoms (rashes and wounds) submitted by 157 individuals to the Organisation was also made potentially publicly accessible. Remedial Actions To prevent recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Conducting an IT security audit to identify and rectify security vulnerabilities in its network and systems; (b) Attaining the ISO27001 Certification to ensure that its information systems are aligned with the industry's best practices and protected against malware and loss of data; (c) Sending its key team members to undergo relevant security and data protection training on Amazon Web Services; and (d) Sending its employees to attend cyber and data protection awareness training to ensure that they are equipped with the relevant knowledge to identify and mitigate security threats. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 28 April 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertak… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---speedoc-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SpeeDoc Pte Ltd UEN: 201705599R Registered Address: 991C Alexandra Road #01-13B Singapore 119971 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the Page 1 of 10 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation… | 29f1ddac5d6d29a1627d314a15e585e30b267674 |
| 62 | 53 53 | 1 | 1007 1007 | 28 | Simmons (Southeast Asia) Private Limited | https://www.pdpc.gov.sg/undertakings/undertaking-by-simmons-southeast-asia-private-limited | 2023-06-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited ("SPL") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware. The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work. Remedial Actions After the incident, as part of a remediation plan, SPL put in place measures including: (a) Reformatted and restored the test server; (b) Closed the RDP port; (c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access; (d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server; (e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form; (f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised; (g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy; (… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---simmons-southeast-asia-limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Simmons (Southeast Asia) Private Limited UEN: 199303272D Registered Address: 300 Beach Road, #25-03, The Concourse, Singapore 199555 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation Page 1 of 16 appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | ab5d4ad6b91d6e758a1173465c1e8c8e770a7ea2 |
| 63 | 54 54 | 1 | 1007 1007 | 29 | Metropolis Security Systems Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-metropolis-security-systems-pte-ltd | 2023-06-22 | Background In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port. The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder; (b) Review the classification of information in its asset register at least once a year; (c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012; (d) Conduct adequate internal tests and penetration tests; and (e) Embark on ISO27001 implementation with an external consultant. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---metropolis-security-systems-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Metropolis Security Systems Pte Ltd UEN: 201008279K Registered Address: 20 Sin Ming Lane #08-63 Midview City, Singapore (573968) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 9 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | 57d34d7cb2381cf0b9f96095a370f1160ff8cff1 |
| 64 | 55 55 | 1 | 1007 1007 | 30 | Employment and Employability Institute Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-employment-and-employability-institute-pte-ltd | 2023-07-20 | Background The Personal Data Protection Commission (the “Commission”) was notified by Employment and Employability Institute Pte. Ltd. on 25 March 2021 of a personal data breach involving its contact centre and data intermediary, i-vic International Pte. Ltd. (“i-vic). Investigations revealed that an employee of i-vic had most likely fallen prey to a phishing attack. As a result, a malicious actor successfully downloaded the personal data belonging to 31,002 individuals, from 2 email accounts belonging to the i-vic employee (the “Incident”).The personal data affected included the individuals’ partial or full NRIC, date of birth, telephone number, email address, residential address, highest qualification, and employment details. Further investigations found that i-vic had reasonable security measures in place to protect the personal data that it processes on behalf of e2i. i-vic had anti-virus protection, anti-phishing protection, regular anti-virus scans, security audits and conducted regular patches for its IT system. In fact, i-vic had existing anti-malware software which should have been able to detect the particular malware used in the Incident, but somehow failed to do so. After the Incident, i-vic purchased and deployed additional anti-malware software. Finally, the Commission found that i-vic had comprehensive policies and guidelines in place to protect personal data. While i-vic had reasonable security arrangements in place to protect the personal data it processes, the Commission established that this was entirely on i-vic’s account and not because of e2i’s bidding. e2i had failed to stipulate any specific data protection requirements on i-vic in their contract. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. i-vic produced evidence of several occasions where e2i’s employees had sent personal data to i-vic without any encryption or protection, which was against e2i’s standard operating procedures. Case No. DP-2106-B8424 A complainant alerted the Co… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---e2i-2023.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Employment and Employability Pte. Ltd. UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, 1 including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undert… | 8ba49672281250f69c0eb861543b984da60acf48 |
| 65 | 56 56 | 1 | 1007 1007 | 31 | OG Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-og-pte-ltd | 2023-08-16 | Background On 4 January 2022, OG Private Limited (the "Organisation") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data. Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained "dummy data" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals. The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd ("Poket") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) SQL injection prevention enhancement; (b) Streamline data storage; (c) Harden web portal security; (d) Implement annual security review; and (e) Tighten protocols for contracting with 3rd party vendors. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the "Undertaking"). The Organisation has since updated the Commission that it has fully implemented its remediatio… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---og-private-limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: OG Private Limited UEN: 196200157H Registered Address: 60 Albert Street #05-01 (189969) OG Albert Complex, Singapore (hereinafter referred to as the “Organisation’). By signing this Undertaking, the above-named Organisation matters stated herein and undertakes to the Commission 1. DEFINITIONS 1.1 In this Undertaking: acknowledges the in the terms set out herein. (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts Ill, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) |The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) Asaresult of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48] or 48J of the PDPA. (c) |The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1of 11 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) 2.2 Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be… | c902da66b580700de249cb537880e6f59b711b0d |
| 66 | 57 57 | 1 | 1007 1007 | 32 | Starbucks Coffee Singapore Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-starbucks-coffee-singapore-pte-ltd | 2023-11-10 | Background On 13 September 2022, the Personal Data Protection Commission (the “Commission”) reached out to Starbucks Coffee Singapore Pte. Ltd. (the “Organisation”) after receiving information that personal data purporting to belong to the Organisation’s customers were available for sale online. The Organisation lodged a data breach notification to the Commission on 15 September 2022 and confirmed that its customer database, managed by its data intermediary, Ascentis Pte. Ltd. (“Ascentis”), was compromised by an unknown threat actor. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Investigations revealed that the personal data breach could not be directly attributed to the Organisation but had occurred due to internal lapses on Ascentis’ end. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for the Organisation. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a)Requested its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database; (b) Reset the application programming interface as a precautionary measure; (c) Audited the processes of its vendor and require them to improve on its monitoring and security processes; (d) Reviewed its existing contracts with 3rd party vendors; and (e) Notified all affected customers. Undertaking The Commission accepted the Undertaking as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, the Organisation could further improve on the con… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---starbucks-coffee-singapore-pte-ltd_2023.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 10 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Starbucks Coffee Singapore Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 10 SCHEDULE A Page 3 of 10 SUMMARY OF FACTS 1. On 15 September 2022, the Commission was informed that personal data purported to be from the Organisation’s Singapore customers were available on the dark web. 2. Investigation revealed that the above-mentioned personal data were indeed from the Organisation’s customer database and this database were handled by Ascentis Pte. Ltd (“Ascentis”), an external vendor contracted to provide IT solutions since year 2014. 3. … | a7e25ffd679fc1b3fbc8cfe017c185af3c07768f |
| 67 | 58 58 | 1 | 1007 1007 | 33 | AEM Holdings Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-aem-holdings-ltd | 2023-12-14 | Background The Personal Data Protection Commission (the "Commission") was notified by AEM Holdings Ltd. ("AEM") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network ("VPN") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information. The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the "Incident"). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints. Remedial Actions After the incident, as part of a remediation plan, AEM put in place the following measures: (a) Implemented a third-party vendor cybersecurity risk management policy; (b) Implemented standard contractual clauses for contracting with third-party vendors; (c) Implemented regular cybersecurity reviews; and (d) Reviewed and enhanced its data classification policy. The Commission was also satisfied with the additional actions undertaken by AEM. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the "Undertaking"). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consiste… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---aem-holdings-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2207-9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 8 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) AEM Holdings Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 8 SCHEDULE A Page 3 of 8 SUMMARY OF FACTS 1. On 1 July 2022, the PDPC was informed by the Organisation about the deployment of ransomware on its network. 2. As a result, the personal data of 18,135 individuals including their names, personal contact information, identification numbers, employment records, date of birth, race, religion, COVID-19 test results and vaccination information, shareholding information, employee bank account number, profile photographs and fingerprints were encrypted and/or exf… | 3f803fa056cb3958fe38b7c024550a1cd44acec5 |
| 68 | 59 59 | 1 | 1009 1009 | 34 | Low Keng Huat (Singapore) Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-low-keng-huat-ltd | 2024-02-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Low Keng Huat (Singapore) Limited (“LKHS”) on 4 July 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had gained initial access to LKHS's IT environment remotely. The firewall was not configured and therefore unable to block malicious traffic. The vendor was responsible for managing the firewall system, and no testing was conducted before the system went live after an upgrade. As a result, server logs were missing during that period, and security threat protection was not enabled in the system. The malicious actor likely exploited a critical vulnerability to obtain LKHS's workstation credentials and compromise email accounts. The malicious actor successfully deployed ransomware, encrypting and/or exfiltrating the personal data of 1,400 individuals (the “Incident”). The personal data affected included their personal contact information, emails, IC and passport scans, date of birth, sale and purchase agreements, and option to purchase documents. LKHS has been conducting monitoring and has not found any evidence to suggest that the personal data affected in the incident has been misused. Remedial Actions After the Incident, as part of a remediation plan, LKHS put in place the following measures: (a) Patched all software and outdated firmware. (b) Updated and completed all IT hardware and software asset lists. (c) Implemented clear vendor management and account responsibilities processes. (d) Reviewed and resolved firewall issues and eliminated the need for VPN. (e) Implemented strong security settings for servers and updated all workstations with endpoint protection. (f) Implemented 2FA and more stringent password policies. (g) All LKHS’s accounts have undergone a successful security audit, with evidence of log file visibility. (h) Scheduled a yearly cybersecurity and IT training for all staff. (i) Implemented new softw… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---low-keng-huat-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2308-C1305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Low Keng Huat (Singapore) Limited (UEN No. 196900209G) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 12 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Low Keng Huat (Singapore) Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 12 SCHEDULE A Page 3 of 12 SUMMARY OF FACTS 1. On 31 July 2023, PDPC was notified by Low Keng Huat (Singapore) Limited (“LKHS”) of a data security incident on 4 July 2023 involving ransomware encryption and possibly data exfiltration. LKHS staff had reported being unable to access the Organisation’s workstations. 2. As a result, the personal data of 1,400 individuals including their names, addresses, personal email addresses, telephone numbers, NRIC numbers, passport n… | 2acd6b8fce9caed3a0f1615035c5c365f7429d93 |
| 69 | 59 59 | 2 | 1010 1010 | Background The Personal Data Protection Commission (the “Commission”) was notified by Low Keng Huat (Singapore) Limited (“LKHS”) on 4 July 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had gained initial access to LKHS's IT environment remotely. The firewall was not configured and therefore unable to block malicious traffic. The vendor was responsible for managing the firewall system, and no testing was conducted before the system went live after an upgrade. As a result, server logs were missing during that period, and security threat protection was not enabled in the system. The malicious actor likely exploited a critical vulnerability to obtain LKHS's workstation credentials and compromise email accounts. The malicious actor successfully deployed ransomware, encrypting and/or exfiltrating the personal data of 1,400 individuals (the “Incident”). The personal data affected included their personal contact information, emails, IC and passport scans, date of birth, sale and purchase agreements, and option to purchase documents. LKHS has been conducting monitoring and has not found any evidence to suggest that the personal data affected in the incident has been misused. Remedial Actions After the Incident, as part of a remediation plan, LKHS put in place the following measures: (a) Patched all software and outdated firmware. (b) Updated and completed all IT hardware and software asset lists. (c) Implemented clear vendor management and account responsibilities processes. (d) Reviewed and resolved firewall issues and eliminated the need for VPN. (e) Implemented strong security settings for servers and updated all workstations with endpoint protection. (f) Implemented 2FA and more stringent password policies. (g) All LKHS’s accounts have undergone a successful security audit, with evidence of log file visibility. (h) Scheduled a yearly cybersecurity and IT training for all staff. (i) Implemented new softw… | 31263d3dd4009e97876613f45f97ea85fc3d9c2b | ||||||
| 70 | 60 60 | 1 | 1011 1011 | 35 | Moncler Singapore Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-moncler-singapore-pte-ltd | 2024-03-21 | Background The Personal Data Protection Commission (the “Commission”) was notified by Moncler Singapore Pte. Limited (“Moncler”) on 24 February 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had utilised a sophisticated ransomware-as-a-service against Moncler’s corporate environments, possibly by using compromised credentials, vulnerability exploits, or spear-phishing. However, the exact cause of the breach could not be determined. The malicious actor successfully deployed ransomware, encrypting and exfiltrating the personal data of 8,570 individuals (the “Incident”). The personal data affected included the name, date of birth, contact information, and purchase data of 8,561 customers, and the name, date of birth, contact information and payroll data of 9 employees. Remedial Actions After the Incident, as part of a remediation plan, Moncler put in place the following measures: (a) Enhancing current cybersecurity training and awareness capabilities; (b) Extending and refining Business Impact Analysis; (c) Reviewing and improving its identity governance and access management solutions; (d) Reviewing the security posture of the servers; (e) Formalizing the application of its Vulnerability Management Process; (f) Formalizing an IT Asset Management Program; (g) Performing network security assessments; (h) Improving Security Operation Center capabilities; and (i) Implementing a configuration management database solution. The Commission was satisfied with the remedial actions undertaken by Moncler. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from Moncler to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 29 June 2022 (the “Undertaking”). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Inciden… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---moncler-singapore-pte-ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Moncler Singapore Pte. Limited UEN: 201531580G Registered Address: 135 Cecil Street, #10-01, Philippine Airlines Building, Singapore 069536 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 8 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking ma… | f5f37a9788543a7c41ed6711fe11f98272f30c2c |
| 71 | 35 35 | 2 | 1012 1012 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed. It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked. Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees. Voluntary Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”). The Undertaking provides that e2i was to: (a)review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b)review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately; (c)propose an implementation plan for fulfilling the above; (d)once the … | adda4261566bbd7d92a288a82e20c34304f2d84f | ||||||
| 72 | 61 61 | 1 | 1013 1013 | 36 | Yayasan Mendaki | https://www.pdpc.gov.sg/undertakings/undertaking-by-yayasan-mendaki | 2024-04-22 | Background On 27 October 2022, Personal Data Protection Commission (the “Commission”) received a data breach notification from Yayasan Mendaki (the “Organisation”) informing that its on-premises VMWare ESXi servers were encrypted by a ransomware (the “Incident”). As a result of the Incident, the personal data of approximately 72,917 individuals, including their names, NRIC numbers, date of birth, phone numbers, email addresses and bank account details were encrypted and rendered inaccessible. A total of 2.7TB of data was also exfiltrated from YM’s servers but could not be confirmed to have contained any personal data. Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale. Investigation revealed that the Organisation had failed to remove the internet connectivity of a decommissioned web server. The threat actor(s) was believed to have exploited the vulnerabilities of the unpatched web server and then moved laterally to the other servers. Remedial Actions Upon discovering the incident, the Organisation immediately took the following actions: (a) Disconnected the on-premises network from the internet; and (b) Reset all user account passwords and performed a reset of the KRBTGT account. The Organisation also notified all potentially affected individuals of the Incident. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted a voluntary undertaking on 23 May 2023 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (“PDPA”). The Commission accepted the Undertaking after considering that the Organisation is a self-help group targeted at uplifting the Malay/Muslim community in Singapore, and the scale and potential impact of the Incident. Even though the Organisation’s servers and personal data had been encrypted, Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale and if the exfiltrated data contain… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---yayasan-mendaki.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2210-C0365 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Yayasan Mendaki (UEN No. 198902633C) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 9 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Yayasan Mendaki ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 9 SCHEDULE A Page 3 of 9 SUMMARY OF FACTS 1. On 27 October 2022, the PDPC was informed that the Organisation’s servers were encrypted by a ransomware attack. Preliminary investigation had revealed that only the on-premises network was affected while the cloud infrastructure was not affected. 2. After conducting forensic investigation, the Organisation discovered that approximately 2.7TB of data had been exfiltrated from a virtual file server. However, the contents of the exfiltrated data could not be dete… | 43c7712717e295dee43f8537babefc373cc9ae5a |
| 73 | 62 62 | 1 | 1013 1013 | 37 | Sunray Woodcraft Construction Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-sunray-woodcraft-construction-pte-ltd | 2024-04-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Sunray Woodcraft Construction Pte. Ltd. (the “Organisation” or “SWCPL”) on 11 May 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data (the “Incident”). Investigations revealed that a malicious actor had utilised a ransomware-as-a-service against SWCPL’s corporate environments, by exploiting vulnerabilities or using compromised credentials. While the exact cause of the breach could not be determined, the malicious actor encrypted the Organisation’s files containing the personal data of 2,130 individuals who were the Organisation’s current or ex-employees or who had previously sought employment with the Organisation. The types of personal data affected included the name, address, NRIC number, passport number, date of birth, contact information, photographs, and payroll information. In addition, for 689 individuals out of the 2130 individuals affected, their personal email address was also affected. Remedial Actions Upon discovery of the Incident, SWCPL had taken prompt remedial actions including tightening the access controls to sensitive system interfaces, updating the latest patches to the firewall, strengthening the firewall rules, resetting the privileged accounts and passwords, and deploying an Endpoint Detection and Response software to continuously monitor end-user devices within its network. Undertaking Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from SWCPL to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 25 October 2023. As part of the Undertaking, SWCPL implemented the following: (a) Engaged Telstra Singapore for Cyber Detection and Response services to manage and oversee its IT environment; (b) Implemented risk assessments on any changes towards its environment to identify the potential impacts and minimize risks; (c) Transmit and retain logs for 90… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---sunray-woodcraft-construction-pte-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2305-C1003 In the matter of an investigation under section 50(1) And (1) Sunray Woodcraft Construction Pte Ltd (UEN No. 198703016K) Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and findings set out at Schedule A to this Undertaking. Page 1 of 13 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Sunray Woodcraft Construction Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 13 SCHEDULE A Page 3 of 13 SUMMARY OF FACTS 1. On 11 May 2023, the PDPC was notified by Sunray Woodcraft Construction Pte Ltd SWCPL of a ransomware attack on its servers on or about 25 April 2023 causing loss of access to IT systems and encryption of files with personal data. 2. As a result, the personal data of 2,130 individuals including their names, addresses, personal email addresses (in respect of 689 individuals), telephone numbers, NRIC numbers, passport numbers, photographs, dates of birth, bank account numbers and salary information was affected. 3. To prevent a recurrence of a similar … | 96dcbf886a997c56857805ee9335ab6df1d37840 |
| 74 | 63 63 | 1 | 1013 1013 | 38 | Success Human Resource Centre Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-success-human-resource-centre-pte-ltd | 2024-04-22 | Background The Personal Data Protection Commission (the “Commission”) received a complaint about a personal data breach involving Success Human Resource Centre Pte Ltd (the “Organisation”) on 30 May 2023. The complainant informed the Commission that he was able to access the Organisation’s attendance tracking system, which disclosed the names and mobile numbers of other individuals, by manipulating the numerical suffix of the Organisation’s webpage URL (the “Incident”). About 30,000 individuals were potentially affected. Investigations revealed that the cause of the breach was due to inadequate web disk space on the webhost and unaddressed errors in the coding script. Upon being alerted, the Organisation immediately took down the URL. Undertaking Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 11 September 2023. As part of the Undertaking, the Organisation put in place the following measures: (a) Fixed all coding flaws and structural issues on the system. (b) Upgraded the web disk space and implemented 2FA. (c) Implemented best practices for secure Identity Access Management (IAM). (d) Implemented clear vendor management and account responsibilities processes. (e) Developed a vulnerability disclosure policy and established a clear process for incident management The Commission was satisfied with and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation. The Organisation has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with t… | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---success-human-resource-centre-pte-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2305-C1080 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Success Human Resource Centre Pte Ltd (UEN No. 200516727R) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 12 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Success Human Resource Centre Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 12 SCHEDULE A Page 3 of 12 SUMMARY OF FACTS 1. On 30 May 2023, PDPC was notified by a complainant stated that the Organisation’s URL on the Attendance Tracking System can be manipulated to gain access to the PDF documents containing personal data of other individuals. 2. As a result, the personal data of approximately 30,000 individuals including their names and phone numbers was exposed. 3. To prevent a recurrence of a similar incident, the Organisation took i… | 8a84730604900564e91af813e083d86b5b1fb43c |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE [pdpc_undertakings_version] ( [_id] INTEGER PRIMARY KEY, [_item] INTEGER REFERENCES [pdpc_undertakings]([_id]), [_version] INTEGER, [_commit] INTEGER REFERENCES [commits]([id]), [id] TEXT, [organisation] TEXT, [url] TEXT, [timestamp] TEXT, [description] TEXT, [pdf-url] TEXT, [pdf-content] TEXT, [_item_full_hash] TEXT );