Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

February 2023 decisions: No penalty for CPR Vision Management and RedMart

This PDPC decisions for February 2023 covers CPR Vision Management and Redmart with no financial penalty.

Breaking Down PDPC’s February 2023 decisions: CPR Vision Management and Redmart

The February 2023 PDPC decisions have been published on PDPC’s official website. For this month, two (2) cases have been issued covering the directions given to CPR Vision Management and the no penalty for RedMart.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC decisions and undertakings.

Let’s have a look at the February 2023 cases with the latest cybersecurity updates to date.

For this month, two (2) cases have been issued covering the directions given to CPR Vision Management and the no penalty for RedMart.

February 10: The directions issued to CPR Vision Management 

On October 29, 2021, L’Oreal Singapore and L’Occitane Singapore notified the PDPC of a ransomware attack on their CRM system vendor, CPR Vision Management. CPR Vision Management is a data intermediary that helped process the personal data collected by L’Oreal and L’Occitane.

The ransomware attack affected a server and three network-attached storage (NAS) devices in the office network. The Incident compromised the personal data of approximately 84,000 L’Occitane customers and nearly 35,000 L’Oreal customers.

Investigations revealed that the threat actor first gained access to the office network via a compromised user account VPN connection before executing the ransomware attack. CPR Vision Management admitted that its endpoint security solution would have been able to detect and block the unauthorised entry attempts to the office network. 

However, the organisation failed to extend the deployment of this protection solution to the affected office network as it is earmarked to be decommissioned. CPR Vision Management also admitted that it is in breach of the Retention Limitation Obligation. This is because the affected data is legacy content and should have been deleted together with the domain controller server earmarked for decommissioning.

Fortunately, the PDPC only gave directions to follow considering the CPR Vision Management’s upfront admission of liability, and there was no evidence to suggest that data exfiltration or modification had occurred.

The decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC.

February 10: No financial penalty issued to RedMart

Our next case of PDPC decision involves RedMart. On May 31, 2021, the PDPC was notified that the online supermarket was collecting images of the physical NRICs and other identification documents of suppliers making deliveries to its warehouses. This practice did not appear to be in compliance with the PDPA.

Investigations revealed that RedMart operated two warehouses which were used to store goods and products they sold. With suppliers regularly visiting the warehouses, the Lazada-owned e-commerce implemented measures to regulate visitors’ access to these warehouses.

Security checkpoints there used an organisation-issued tablet computer to take photographs of visitors’ NRIC or other IDs. Prior to the Incident, there were no notices at the warehouses’ security checkpoints informing visitors of the purpose of the collection of ID photographs.

With this lapse identified, RedMart took some steps to remediate the Incident, and the PDPC gave directions to follow. Since the directions from the PDPC had been complied with, no financial penalty was imposed against RedMart.

What did we get from these cases?

  • Conducting security audits for your organisation should not be sloppy. It must cover every nook and cranny of your organisation’s system, especially in those servers which contain personal data. 
  • Your upfront admission of your lapses as an organisation can come a long way. Do not think twice about coming clean and admitting something that could help expedite the process of investigations on data breaches. 
  • When collecting the personal data of individuals, it is important for the Organisation to secure proper consent and notify them of the purpose of such collection. This is especially true when collecting NRICs. Failure to do so would risk the organisation being liable to a financial penalty of up to S$1,000,000.
  • Failure to observe the obligations under the PDPA does not automatically equate to a financial penalty.
  • Appointing a Data Protection Officer (DPO), a mandatory role in every Organisation, can help. Note that they can be in-house or outsourced to professional PDPA service providers such as Privacy Ninja.

Your appointed DPO can work with you on your PDPA compliance, ensuring that there will be policies in place to make sure that the handling of personal data is PDPA compliant.

Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us