August 2022 PDPC Incidents and Undertaking: A breach with no penalty

August 2022 PDPC incidents and undertaking: A breach with no penalty

The August 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, four (4) cases have been issued covering the Direction given to Budgetcars and the Undertakings to be followed by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore), Inmagine, and The National University of Singapore Society. For this month, no decisions cover a financial penalty for breaching the PDPA.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the August 2022 cases with the latest cybersecurity updates to date.

August 11: The directions issued to Budgetcars 

Our first case of PDPC Incidents and Undertaking involves Budgetcars. On August 25, 2021, the PDPC was notified that Budgetcar’s “Tracking Function Page” on its website could be used to get the personal data of other individuals by simply changing the Tracking ID used. 

With this incident, a total of 44,357 individuals’ personal data are at risk of unauthorized access, including their names, addresses, contact numbers, and photographs of their own signatures. 

The organisation admitted that it could have added a safeguard to protect the personal data by archiving it. With this incident, the organisation was found to be in breach of the Personal Data Protection (PDPA). Luckily, the PDPC only gave directions for Budgetcars to follow:

1. To put in place the appropriate contractual provisions to set out the obligations and responsibilities of both the data controller and data intermediary to protect the organisation’s personal data, and the parties’ respective roles in protecting the personal data; 
2. To engage a qualified security service provider to conduct a thorough security audit of its technical and administrative arrangements for the security and maintenance of its website that contains personal data in the organisation’s possession or control; 
3. Provide the full security audit report to the PDPC, no later than 60 days from the date of the issue of this direction; 
4. Rectify any security gaps identified in the security audit report, review and update its personal data protection policies as applicable within 60 days from the date the security audit report is provided; and 
5. Inform the Commission within one week of completion of rectification and implementation in response to the security audit report. 

August 11: Undertaking by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore)

Our next case of PDPC Incidents and Undertaking involves Undertaking by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore). On April 3, 2021, the PDPC was notified by “K” Line, “K” Line Ship Management (Singapore), and “K” Line (Singapore) that they had been subjected to malware attacks. 

These three related organisations are all registered in Singapore as subsidiaries of Kawasaki Kisen Kaisha, a holding company that is registered outside of Singapore. On March 18, 2021, an overseas affiliate that is also a subsidiary of Kawasaki told the organizations about a cyber incident. 

During the incident, the affiliate’s account, which had a lot of privileges and access rights, was hacked. After the account was hacked, it was used to attack the Organization’s IT system in Singapore with malware and affected the personal data of 2,148 individuals.

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

1. Reinforce the use of built-in password protection capability for sensitive documents and use of desktop encryption tools by all staff. The organisations should also supplement existing email reminders on cybersecurity best practices with regimented user awareness training; 
2. Review the Access Control List for network traffic between the Organisations and their affiliates; 
3. Review the administrative rights and access of the servers between the Organisations and their affiliates;
4. Change their password policy settings and a global exercise to update all users and system account credentials; 
5. Employ cybersecurity analyst to perform Security alerts triage and IT security projects;
6. Implement 2FA for server’s remote access;
7. Implement 2FA for remote access by the user via Virtual Private Network (VPN);
8. Conduct a threat analysis of the Organisation group companies’ active directory, servers, and client PCs that are connected to the organisation’s network;
9. Deploy threat detection tools;
10. Implement an e-Learning program;
11. Establish a service agreement with a security vendor for 24/7 Managed, Detect & Response (MDR);
12. Implement vulnerability testing on IT systems to be conducted by a security vendor;
13. Implement system hardening and USB enforcement;
14. Implement an encryption solution to protect its database and file system;
15. Expand firewall capability to perform scanning on encrypted network packets, mitigate potential malicious payload hiding under HTTPS encrypted traffic; and
16. Engage an external consultant to provide a cybersecurity awareness campaign to increase general workforce awareness and knowledge to handle cyber risks.

Also Read: Why cybersecurity is important for businesses in Singapore

August 11: Undertaking by Inmagine

Our next case of PDPC Incidents and Undertaking involves Inmagine. On November 13, 2020, and January 26, 2021, the organisation notified the PDPC that there had been unauthorised access to two of its websites, and the personal data from these websites had been exfiltrated, affecting the names, addresses, email addresses, and phone numbers of individuals.

It was found that:

1. The Organization didn’t have a strong enough security assessment policy, log retention policy, or asset management process.
2. It didn’t have any systems to detect or stop intrusions.
3. It used an old operating system.

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

1. Develop a vulnerability assessment policy;
2. Develop an incident response plan;
3. Review its log retention policy;
4. Create an asset list for the tracking of an inventory of its systems;
5. Implement intrusion, detection, and prevention systems;
6. Review, compiled, and updated all its systems to the latest operating system; and
7. Adopt additional security such as two-factor authentication (2FA).

August 11: Undertaking by The National University of Singapore Society (NUSS)

Our last case of PDPC Incidents and Undertaking involves The National University of Singapore Society. On October 8, 2021, NUSS notified the PDPC that its website had been subjected to a SQL injection attack. This affected the personal data of 3,725 individuals.

The affected datasets comprised the affected individuals’ names, addresses, emails, NRIC numbers, contact numbers, gender, date of birth, membership number, marital status, education details, and motor vehicle registration numbers. 

It was established that NUSS had (a) inadequate knowledge of the web server hosting its website, (b) inadequate security reviews to identify vulnerabilities within its website, (c) lack of clauses within its contract with its vendors to ensure compliance with the PDPA and (d) there had been an overreliance on its IT vendor to maintain the security of the web server hosting its website. 

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

1. Ensure that no personal data was stored at its web server;
2. Fix all vulnerabilities identified in its forensics report;
3. Conduct a penetration test;
4. Establish checklists, procedures, and templates for 3rd party vendors; 
5. Migrate its website to a virtual private server; and
6. Revamp its website.

Also Read: Data governance framework: What organisations in Singapore should know