Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

On Data Protection Management: The Razer and Capgemini Incident

Data Protection Management
A good Data Protection Management will save organisations a whole lot of money paying for penalties for breaches.

On Data Protection Management: The Razer and Capgemini Incident

What we know so far

Razer, a gaming company, has filed a lawsuit against a vendor following a cybersecurity breach that exposed confidential information about its customers and sales to the public. 

The data leak, which occurred over a three-month period from June to September 2020, made headlines when a security researcher revealed that the personal information of approximately 100,000 Razer customers could have been compromised. 

Razer claims it has lost approximately $6.85 million in profit from its online website as a result of the data breach. With this, Razer is suing for unquantified monetary damages for profit losses resulting from the rejection of its digital bank license application.

Mr. Argel Cabalag, a Capgemini employee, caused the cybersecurity breach when an issue arose in Razer’s internal IT system, according to Razer.

Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers

Organisations must ensure that security arrangements are in place for them not to have a problem in the future.

Razer employing an IT vendor

Capgemini recommended Razer the ELK Stack platform. It collects and analyses vast quantities of data from numerous sources, storing it in a centralised data repository. Capgemini is a “reliable and respected partner” for IT solutions, according to Razer. With Capgemini’s assistance in setting up and configuring the system, Razer agreed to use the ELK Stack in its IT system at Capgemini’s proposal.

Additionally, Razer hired Mr. Argel Cabalag to be stationed at its headquarters and serve as a subject matter expert.

On June 17 and 18, 2020, Mr. Cabalag examined a problem with Razer’s ELK Stack. Employees of Razer were unable to log in and resolve the issue on their own. Mr. Cabalag was the only one to troubleshoot the ELK Stack and rectified the issue within a day.

He was also the sole person with the skills and expertise to access and modify a configuration file on Razer’s server, and he reported to the Razer staff shortly after the 16-minute window that everything was alright.

A vendor can be liable under the PDPA in case of protection obligation breach if it is a data intermediary of its organization. 

Security Misconfiguration discovered

Upon discovering the security breach, a bug bounty hunter or a white hat hacker found the data leak due to a security misconfiguration. This was caused by the ELK Stack’s security settings being manually disabled. 

This now became the reason why a data leak occurred and made the ELK Stack vulnerable to cyberattacks and breaches, which could have resulted in further damage from public backlash and PDPA penalties that could range up to S$1,000,000.

Similar to the bug bounty that found the data leak, Privacy Ninja has also performed numerous pentests on its clients’ networks and infrastructure and can conclude that it’s common to find security misconfigurations to lead to security lapses. 

This doesn’t mean that the IT personnel or vendors of the clients hate Privacy Ninja when we discover vulnerabilities, but in another way, they learn from our reports and, moving forward, can better configure and harden other clients’ systems.

Data Protection Management: Liability of the vendor under the PDPA

A vendor can be liable under the PDPA in case of protection obligation breach if it is a data intermediary of its organization. 

The PDPA defines a “data intermediary” as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;”

The PDPA non-exhaustively defines “processing” as the carrying out of any operation or set of operations in relation to personal data, and includes any of the following:

(a) recording;

(b) holding;

(c) organisation, adaptation or alteration;

(d) retrieval;

(e) combination;

(f) transmission; 

(g) erasure or destruction;”

In engaging a vendor, to make sure that security misconfiguration does not happen in the future, a good practice is to set out guidelines on how the vendor operates in the organisation’s systems. This way, whenever changes are made that could harm the organisation, it can be reviewed by it to assess if security arrangements are met.

Also Read: The Singapore financial services and markets bill: Everything you need to know



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us