Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

August 2022 PDPC Incidents and Undertaking: A breach with no penalty

August 2022 PDPC Incidents
The August 2022 PDPC Incidents and Undertaking decisions of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website.

August 2022 PDPC incidents and undertaking: A breach with no penalty

The August 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, four (4) cases have been issued covering the Direction given to Budgetcars and the Undertakings to be followed by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore)Inmagine, and The National University of Singapore Society. For this month, no decisions cover a financial penalty for breaching the PDPA.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the August 2022 cases with the latest cybersecurity updates to date.

August 11: The directions issued to Budgetcars 

Our first case of PDPC Incidents and Undertaking involves Budgetcars. On August 25, 2021, the PDPC was notified that Budgetcar’s “Tracking Function Page” on its website could be used to get the personal data of other individuals by simply changing the Tracking ID used. 

With this incident, a total of 44,357 individuals’ personal data are at risk of unauthorized access, including their names, addresses, contact numbers, and photographs of their own signatures. 

The organisation admitted that it could have added a safeguard to protect the personal data by archiving it. With this incident, the organisation was found to be in breach of the Personal Data Protection (PDPA). Luckily, the PDPC only gave directions for Budgetcars to follow:

  1. To put in place the appropriate contractual provisions to set out the obligations and responsibilities of both the data controller and data intermediary to protect the organisation’s personal data, and the parties’ respective roles in protecting the personal data; 
  2. To engage a qualified security service provider to conduct a thorough security audit of its technical and administrative arrangements for the security and maintenance of its website that contains personal data in the organisation’s possession or control; 
  3. Provide the full security audit report to the PDPC, no later than 60 days from the date of the issue of this direction; 
  4. Rectify any security gaps identified in the security audit report, review and update its personal data protection policies as applicable within 60 days from the date the security audit report is provided; and 
  5. Inform the Commission within one week of completion of rectification and implementation in response to the security audit report. 
Here are the August 2022 PDPC Incidents and Undertaking that Organizations must take note of.

August 11: Undertaking by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore)

Our next case of PDPC Incidents and Undertaking involves Undertaking by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore). On April 3, 2021, the PDPC was notified by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore) that they had been subjected to malware attacks. 

These three related organisations are all registered in Singapore as subsidiaries of Kawasaki Kisen Kaisha, a holding company that is registered outside of Singapore. On March 18, 2021, an overseas affiliate that is also a subsidiary of Kawasaki told the organizations about a cyber incident. 

During the incident, the affiliate’s account, which had a lot of privileges and access rights, was hacked. After the account was hacked, it was used to attack the Organization’s IT system in Singapore with malware and affected the personal data of 2,148 individuals.

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

  1. Reinforce the use of built-in password protection capability for sensitive documents and use of desktop encryption tools by all staff. The organisations should also supplement existing email reminders on cybersecurity best practices with regimented user awareness training; 
  2. Review the Access Control List for network traffic between the Organisations and their affiliates; 
  3. Review the administrative rights and access of the servers between the Organisations and their affiliates;
  4. Change their password policy settings and a global exercise to update all users and system account credentials; 
  5. Employ cybersecurity analyst to perform Security alerts triage and IT security projects;
  6. Implement 2FA for server’s remote access;
  7. Implement 2FA for remote access by the user via Virtual Private Network (VPN);
  8. Conduct a threat analysis of the Organisation group companies’ active directory, servers, and client PCs that are connected to the organisation’s network;
  9. Deploy threat detection tools;
  10. Implement an e-Learning program;
  11. Establish a service agreement with a security vendor for 24/7 Managed, Detect & Response (MDR);
  12. Implement vulnerability testing on IT systems to be conducted by a security vendor;
  13. Implement system hardening and USB enforcement;
  14. Implement an encryption solution to protect its database and file system;
  15. Expand firewall capability to perform scanning on encrypted network packets, mitigate potential malicious payload hiding under HTTPS encrypted traffic; and
  16. Engage an external consultant to provide a cybersecurity awareness campaign to increase general workforce awareness and knowledge to handle cyber risks.

Also Read: Why cybersecurity is important for businesses in Singapore

The PDPC Incidents and Undertaking for August 2022 serve as guide to avoid breaching the PDPA in the future.

August 11: Undertaking by Inmagine

Our next case of PDPC Incidents and Undertaking involves Inmagine. On November 13, 2020, and January 26, 2021, the organisation notified the PDPC that there had been unauthorised access to two of its websites, and the personal data from these websites had been exfiltrated, affecting the names, addresses, email addresses, and phone numbers of individuals.

It was found that:

  1. The Organization didn’t have a strong enough security assessment policy, log retention policy, or asset management process.
  2. It didn’t have any systems to detect or stop intrusions.
  3. It used an old operating system.

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

  1. Develop a vulnerability assessment policy;
  2. Develop an incident response plan;
  3. Review its log retention policy;
  4. Create an asset list for the tracking of an inventory of its systems;
  5. Implement intrusion, detection, and prevention systems;
  6. Review, compiled, and updated all its systems to the latest operating system; and
  7. Adopt additional security such as two-factor authentication (2FA).

August 11: Undertaking by The National University of Singapore Society (NUSS)

Our last case of PDPC Incidents and Undertaking involves The National University of Singapore Society. On October 8, 2021, NUSS notified the PDPC that its website had been subjected to a SQL injection attack. This affected the personal data of 3,725 individuals.

The affected datasets comprised the affected individuals’ names, addresses, emails, NRIC numbers, contact numbers, gender, date of birth, membership number, marital status, education details, and motor vehicle registration numbers. 

It was established that NUSS had (a) inadequate knowledge of the web server hosting its website, (b) inadequate security reviews to identify vulnerabilities within its website, (c) lack of clauses within its contract with its vendors to ensure compliance with the PDPA and (d) there had been an overreliance on its IT vendor to maintain the security of the web server hosting its website. 

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

  1. Ensure that no personal data was stored at its web server;
  2. Fix all vulnerabilities identified in its forensics report;
  3. Conduct a penetration test;
  4. Establish checklists, procedures, and templates for 3rd party vendors; 
  5. Migrate its website to a virtual private server; and
  6. Revamp its website.

Also Read: Data governance framework: What organisations in Singapore should know



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us