February 2022 PDPC Incidents and Undertaking
The February 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official Website. For this month, only two (2) cases have been issued covering financial penalties for both Tanah Merah Country Club and North London Collegiate School (Singapore) Pte. Ltd.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their Website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the February 2022 cases with the latest cybersecurity updates to date.
Also Read: Guarding against common types of data breaches in Singapore
February 18: North London Collegiate School (Singapore) ‘s a breach of the Protection and Accountability Obligations
Our first case of PDPC incidents and undertaking involves North London Collegiate School (Singapore). The PDPC was notified by the Organization on July 02, 2021, that a parent of a student was able to view and access a student report by performing searches using internet search engines.
Investigations found that prospective students’ parents could submit documentation for admission applications via the Organization’s Website from December 2019 to July 2021. All documents uploaded were saved in the Website’s directory. However, the website folder was not effectively protected from web crawler automatic indexing. As a result, search engines indexed the provided documents, and they may appear in online search results.
The Organization admitted that it had simply used a Robots.txt file on its Website to instruct search engines not to index the content in the website directory folder. However, it is well understood that the robot exclusion protocol is not obligatory.
The Organization had also stated that it relied on a related group company to set up and manage its Website, but there were no clear business requirements specifying that the Organization was relying on the sister company to recommend and/or implement security arrangements to protect personal data that resides in the website directory/ folder.
With this Incident, the personal data of minors were at risk of unauthorized access, and the Organization was made to pay a financial penalty of S$10,000 for failure to set up reasonable security arrangements to protect the personal data on its website database.
We can get from this case the importance of specifying the scope of work of the Organization responsible for the recommendation and/or implementation of the security arrangements to protect personal data. Furthermore, Organizations storing personal data in website directory/folders should implement proper folder or directory permissions and access controls to prevent web crawlers’ unintended access instead of relying on the robots exclusion protocol.
February 2022 PDPC Incidents and Undertaking: Tanah Merah Country Club’s breach of the Protection and Accountability Obligations
Completing this month’s published decisions is the case of Tanah Merah Country, where the PDPC ordered to pay the Organization to pay a financial penalty of $4,000 upon breach of personal data and failure to set up reasonable security arrangements to prevent it from happening.
On February 24, 2021, Tanah Merah Country Club notified the Personal Data Protection Commission that an employee’s email account had been compromised, and 600 phishing emails had been sent to various individuals on February 22, 2021.
The Organization’s investigations found that the Organization’s email accounts had most certainly been vulnerable to password spraying attempts. The Employee was using the password “[email protected]” at the time of the Incident, which the Employee had not updated in over five years, from 2016 to the time of the Incident on February 22, 2021.
The threat actor accessed the personal data of 467 people after getting access to the Employee’s email account, including: a. The email addresses of 155 club members and 284 members of the general public, to whom the threat actor had sent phishing emails. b. The emails contained the names, NRIC numbers, and/or email addresses of an additional 28 people.
We can infer from this case the importance of Organizations having a written personal data protection policy to guide their employees and staff to properly protect personal data. This is because if it was only passed on by word of mouth, Organization might run the risk of the policies and practices being passed on incorrectly.
Furthermore, to maintain good governance over its personal data and mitigate data breach risks throughout the data lifecycle, organizations should develop and implement ICT security policies for data protection, including a password policy.
Also Read: January 2022 PDPC Incidents and Undertaking