Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

January 2022 PDPC Incidents and Undertaking

January 2022 PDPC Incidents and Undertaking
The January 2022 PDPC Incidents and Undertaking are already published for Organizations to follow

January 2022 PDPC Incidents and Undertaking

The January 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, only two (2) cases has been issued covering a financial penalty for Nature Society (Singapore) and an undertaking to be executed by JT Legal LLC.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the January 2022 cases with the latest cybersecurity updates to date.

Here are the January 2022 PDPC Incidents and Undertaking that Organizations must take note of

Also Read: December 2021 PDPC Incidents and Undertaking: Lessons from the Cases

January 14: Nature Society (Singapore)’s breach of the Protection and Accountability Obligations

Our first case of PDPC incidents and undertaking involves Nature Society (Singapore). The PDPC was notified on November 06, 2020, that an online article reporting about hacked databases is being made available for downloads on several hacking forums and Telegram channels. Nature Society (Singapore) is one of the affected organizations.

The personal data of 5,131 members and non-members who had created membership and user accounts on the Nature Society (Singapore) ‘s website were affected in the Incident. Upon investigation, it was revealed that the possible attack vector was is an SQL injection attack which led to personal data on the Organisation’s website database being accessed and exfiltrated by unknown parties.

With this Incident, Nature Society (Singapore) was made to pay a financial penalty of S$14,000 as it admitted that it did not designate a DPO, it failed to develop and implement any personal data protection policy prior to the Incident, and it did not make reasonable security arrangements to protect the personal data on its website database.

We can get from this case the importance of appointing a DPO, which will be responsible for ensuring that an Organization complies with the PDPA. The PDPC laid down, in this case, its responsibilities as it plays a vital role in implementing and building a robust data protection framework.

The PDPC Incidents and Undertaking for January 2022 serve as guide to avoid financial penalties in the future

January 2022 PDPC Incidents and Undertaking: JT Legal LLC

Completing this month’s published decisions is the case of JT Legal LLC, where the PDPC accepted the undertaking of the Organization regarding the email phishing attack, which allowed the threat actor to access and view files on JTL’s SharePoint.

Due to the Incident, approximately 1,006 individuals’ personal data was at risk, which comprises the names of individuals, addresses, email, NRIC numbers, and passport numbers. It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations.

We can infer from this case that although an Organization suffered from a data breach due to failure to put in place reasonable security arrangements, it does not necessarily mean that the Organization will face a hefty fine due to the data breach. In this case, due to JT Legal LLC’s prompt remedial actions, the PDPC only gave an undertaking that they need to follow and nothing else.

Also Read: PDPC: New guidance on personal data protection practices



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us