Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

April 2022 PDPC Incidents and Undertaking

The April 2022 PDPC Incidents
The April 2022 PDPC Incidents and Undertaking are already published for Organizations to follow

The April 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, three (3) cases have been issued covering the financial penalties of Trinity Christian Centre and GeniusU, and the Directions given to ACL Construction (S).

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the April 2022 case with the latest cybersecurity updates to date.

Also Read: March 2022 PDPC Incidents and Undertaking

Here are the April 2022 PDPC Incidents and Undertaking that Organizations must take note of

April 21: GeniusU’s breach of the Data Protection Obligations

Our first case of PDPC incidents and undertaking involves GeniusU. The PDPC was notified on January 12, 2021, that there was unauthorized access and exfiltration of a staging application database holding personal data. This affected approximately 1.26 million users, compromising their last names, locations, email addresses, and their last sign-in IP address.

Upon investigation conducted by the organization, it was found out that the breach was likely caused by a compromised developer password, either because it was weak for his GitHub account or his GitHub account was compromised.

This then allowed the bad actor to enter the organization’s GitHub environment and was able to gain access to and exfiltrate the personal data stored in the Database.

With this Incident, GeniusU was made to pay a financial penalty of S$35,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that the passwords are kept secure and free from any access to bad actors.

We can get from this case the importance of appointing a DPO who is responsible for ensuring that an organization complies with the PDPA and making sure that it has healthy cybersecurity hygiene. One of the jobs of a DPO is to ensure that passwords are not easily guessed by scanning any possible vulnerabilities that they may have and patching them as soon as possible so that they will not be exploited.

The PDPC Incidents and Undertaking for April 2022 serve as guide to avoid financial penalties in the future

April 21: Trinity Christian Centre’s breach of the Data Protection Obligations

Our second case of PDPC incidents and undertaking involves Trinity Christian Centre. The PDPC was notified on March 11, 2021, that its database servers containing personal data were infected with ransomware.

The database servers housed the data of 72,285 individuals at the time of the Incident. Each individual’s data were impacted differently and at times included their name, full identification number, residential address, contact number, email address, photograph, date of birth, age, marital status, education level, and description of a medical condition.

Upon the investigation done by the organization, it was revealed that it maintained an open and publicly exposed remote desktop protocol port. This was how the bad actor had access to the compromised administrator account credentials and was able to enter the organization’s network and database server, leading to the execution of the ransomware attack.

With this Incident, Trinity Christian Centre was made to pay a financial penalty of S$20,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that safeguards are placed so that a ransomware infestation will not result in the future.

This decision also undertakes the importance of appointing a DPO to ensure that there is no vulnerability present in the organization’s networks and servers. It is under the DPO’s scope of work to ensure that the vulnerabilities present are patched up so that threat actors will not exploit them.

April 2022 PDPC Incidents and Undertaking: ACL Construction (S)

Completing this month’s published decisions is the case of ACL Construction (S), where the PDPC directed the organization to develop and implement policies and practices to comply with the provisions of the PDPA and put in place a program of compulsory training for employees of ACL on compliance with the PDPA when handling personal data after its data was offered for sale in the dark web by one “Prometheus.”

Luckily, the affected data, such as the names, business contact numbers, and business emails, were not provided by the individuals concerned for a personal purpose; they would constitute “business contact information” as defined under the Personal Data Protection Act.

This would mean that it falls outside the scope of the PDPA. With this, although the organization suffered a data breach, no personal data was in fact affected. This would have been enough the matter to a close, but it was found out that the organization failed to appoint a Data Protection Officer (DPO) to oversee that it complies with the PDPA.

Under the PDPA, all Organizations are required to appoint a DPO to ensure that they will have healthy cybersecurity hygiene. With this, since there was a failure on the part of ACL to appoint a DPO, it would have been made to pay a financial penalty.

Luckily, the PDPC reconsidered that instead of imposing a hefty fine, it only gave directions for the organization to follow, bearing in mind the Organisation’s low level of awareness of its obligations under the PDPA.

This case highlights the importance of appointing a DPO as it is required under the PDPA. This gives us an idea that failure in doing so would result in a hefty financial penalty from the PDPC. While it is true that ACL Construction was not made to pay a fine in this case, without the mitigating circumstancing, the PDPC would’ve still imposed a fine even though the breached data was not personal.

Also Read: February 2022 PDPC Incidents and Undertaking



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us