The April 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, three (3) cases have been issued covering the financial penalties of Trinity Christian Centre and GeniusU, and the Directions given to ACL Construction (S).
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the April 2022 case with the latest cybersecurity updates to date.
Also Read: March 2022 PDPC Incidents and Undertaking
April 21: GeniusU’s breach of the Data Protection Obligations
Our first case of PDPC incidents and undertaking involves GeniusU. The PDPC was notified on January 12, 2021, that there was unauthorized access and exfiltration of a staging application database holding personal data. This affected approximately 1.26 million users, compromising their last names, locations, email addresses, and their last sign-in IP address.
Upon investigation conducted by the organization, it was found out that the breach was likely caused by a compromised developer password, either because it was weak for his GitHub account or his GitHub account was compromised.
This then allowed the bad actor to enter the organization’s GitHub environment and was able to gain access to and exfiltrate the personal data stored in the Database.
With this Incident, GeniusU was made to pay a financial penalty of S$35,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that the passwords are kept secure and free from any access to bad actors.
We can get from this case the importance of appointing a DPO who is responsible for ensuring that an organization complies with the PDPA and making sure that it has healthy cybersecurity hygiene. One of the jobs of a DPO is to ensure that passwords are not easily guessed by scanning any possible vulnerabilities that they may have and patching them as soon as possible so that they will not be exploited.
April 21: Trinity Christian Centre’s breach of the Data Protection Obligations
Our second case of PDPC incidents and undertaking involves Trinity Christian Centre. The PDPC was notified on March 11, 2021, that its database servers containing personal data were infected with ransomware.
The database servers housed the data of 72,285 individuals at the time of the Incident. Each individual’s data were impacted differently and at times included their name, full identification number, residential address, contact number, email address, photograph, date of birth, age, marital status, education level, and description of a medical condition.
Upon the investigation done by the organization, it was revealed that it maintained an open and publicly exposed remote desktop protocol port. This was how the bad actor had access to the compromised administrator account credentials and was able to enter the organization’s network and database server, leading to the execution of the ransomware attack.
With this Incident, Trinity Christian Centre was made to pay a financial penalty of S$20,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that safeguards are placed so that a ransomware infestation will not result in the future.
This decision also undertakes the importance of appointing a DPO to ensure that there is no vulnerability present in the organization’s networks and servers. It is under the DPO’s scope of work to ensure that the vulnerabilities present are patched up so that threat actors will not exploit them.
April 2022 PDPC Incidents and Undertaking: ACL Construction (S)
Completing this month’s published decisions is the case of ACL Construction (S), where the PDPC directed the organization to develop and implement policies and practices to comply with the provisions of the PDPA and put in place a program of compulsory training for employees of ACL on compliance with the PDPA when handling personal data after its data was offered for sale in the dark web by one “Prometheus.”
Luckily, the affected data, such as the names, business contact numbers, and business emails, were not provided by the individuals concerned for a personal purpose; they would constitute “business contact information” as defined under the Personal Data Protection Act.
This would mean that it falls outside the scope of the PDPA. With this, although the organization suffered a data breach, no personal data was in fact affected. This would have been enough the matter to a close, but it was found out that the organization failed to appoint a Data Protection Officer (DPO) to oversee that it complies with the PDPA.
Under the PDPA, all Organizations are required to appoint a DPO to ensure that they will have healthy cybersecurity hygiene. With this, since there was a failure on the part of ACL to appoint a DPO, it would have been made to pay a financial penalty.
Luckily, the PDPC reconsidered that instead of imposing a hefty fine, it only gave directions for the organization to follow, bearing in mind the Organisation’s low level of awareness of its obligations under the PDPA.
This case highlights the importance of appointing a DPO as it is required under the PDPA. This gives us an idea that failure in doing so would result in a hefty financial penalty from the PDPC. While it is true that ACL Construction was not made to pay a fine in this case, without the mitigating circumstancing, the PDPC would’ve still imposed a fine even though the breached data was not personal.
Also Read: February 2022 PDPC Incidents and Undertaking