pdpc_undertakings_version: 8
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 8 | 8 | 1 | 1002 | 8 | Seafront Support Company Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Seafront-Support-Company-Pte-Ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details. It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices. Remedial Actions After the incident, as part of a remediation plan, Seafront Support: (a) engaged an external IT consultant to manage its IT system; (b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system; (c) developed and implemented an IT security policy; (d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and (e) instructed staff to back-up their files daily on separate cloud-based storage. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”). The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading its firewall to strengthen protection of its IT system. Seafront Support has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Seafront Support has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Seafront.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Seafront Support Company Pte. Ltd. UEN: 201106511C Registered Address: 102E, Pasir Panjang Road, #02-08, Citilink Warehouse Complex, Singapore 118529 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 25 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to Page 2 of 6 suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Seafront Support Company Pte. Ltd.. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 6 SIGNED, for and on behalf of ) Seafront Support Company Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Yeong Zee Kin Name: ____________________________ ) Designation: for Commissioner for Personal Data Protection ) Date: _______________________________________ ) Page 4 of 6 SCHEDULE A Causes of Incident Remediation Plan 1 QNAP NAS VPN services left Discontinue business turned on by the previous IT relationship with the previous consultant. One of the many IT consultant. possible causes that the NAS had been hacked might be due to the assignment of VPN access during the Circuit Breaker. Target Completion Completed 2 No dedicated IT department or consultant to monitor and manage IT system. To engage the services of the external IT management to manage Seafront Support Company’s entire IT system. Completed 3 Improvement of IT system. To audit IT system and implement recommendations to harden IT system: Completed i. Antivirus management (ESET Endpoint Antivirus) and monitoring programs to be installed in all workstations. ii. To adopt M365 to work and share files. iii. Secure all user access levels, tighten all workstation/server weak points and secure network services. The NAS access from the outside had been removed. Also the WIFI is on WPA2 protocol which is less vulnerable to be hacked from outside. iv. Switch email system to Microsoft 365 Exchange Online for better security. Page 5 of 6 v. Procure 7 new workstations to support the above implementations. vi. To upgrade firewall to Fortigate UTM - Package (FG-60E) (PSG’s granted approved). Target completion by 31/11/2020 4 QNAP device’s patches not updated regularly Develop and implement an IT security policy or guideline. Completed 5 Staff not well-informed of safe IT practices (they might have click on malicious links from email or website) Conduct meetings with staff to inform and remind them the seriousness of the incident, the safe IT practices, and prevention. Completed Send periodic email reminders to staff on safe IT practices. Completed 6 Back-up drive stored in same server Instructed employees to back up Completed their files daily on their One drive. Page 6 of 6 | 1dc240b00d7495692705e5eca54021fd2ccba1c2 |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed