PDPC 2023 new decision: Unpacking the case of Eatigo International

PDPC 2023 new decision: Unpacking the case of Eatigo International

The PDPC has released the case of Eatigo International on its website and we are going to unpack what went wrong, what could have been done to avoid financial penalty, and what lessons can we take from this decision. 

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organisations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organisations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the new PDPC decision for 2023 involving the case of Eatigo International with the latest cybersecurity updates to date.

PDPC 2023 new decision: Eatigo International

On October 29, 2020, the PDPC was notified about a possible data leak by Eatigo International. It was found out that a cache of personal data that was suspected to be from the Organisation’s database was being offered for sale on an online forum.

This affected database contained personal data relating to approximately 2.8 million individuals, encompassing personal data such as passwords, access IDs, and Facebook tokens.

Investigations reveal that the personal data for sale on the online forum did not match any current databases in use by Eatigo at the time of the incident. However, this matched the structure of a legacy database which contained user data as of late 2018, the database they used prior to their migration to their current online platform.

After the migration, the affected database was not included in the Organisation’s Virtual Private Network infrastructure. Unfortunately, as Eatigo transitioned to a new engineering team, no one in the Organisation had knowledge of the affected database.

Investigations further revealed that no such password rotation rules were implemented for the affected database, unlike in the current online platform. There were no security reviews conducted, no system in place to monitor the exfiltration of large volumes of data, and no personal data asset inventory or access logs were maintained. 

With this, Eatigo International failed to implement reasonable security arrangements to protect the affected database from the risk of unauthorised access. Thus, for breaching the Protection Obligation under the PDPA, Eatigo International was made to pay a whopping financial penalty of S$62,400.

What can we get from this case?

For organisations with substantial personal data assets, the maintenance of an accurate and up-to-date personal data asset inventory is a prerequisite for complying with the Protection Obligation. This is to ensure that every personal data is accounted for and for tracking purposes. It is a good practice that would assist organisations in complying with the PDPA. 

Moreover, when an organisation handles a high volume of personal data, it is incumbent upon them to implement policies and practices to meet such security needs to discharge its obligation under the Protection Obligation.

How a DPO can help prevent this from happening

Your appointed DPO can work with you on your PDPA compliance, ensuring that there will be policies in place to make sure that the handling of personal data is PDPA compliant. This includes making sure that your Organisation is maintaining a proper personal data asset inventory.

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.