January 2022 PDPC Incidents and Undertaking
The January 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, only two (2) cases has been issued covering a financial penalty for Nature Society (Singapore) and an undertaking to be executed by JT Legal LLC.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the January 2022 cases with the latest cybersecurity updates to date.
January 14: Nature Society (Singapore)’s breach of the Protection and Accountability Obligations
Our first case of PDPC incidents and undertaking involves Nature Society (Singapore). The PDPC was notified on November 06, 2020, that an online article reporting about hacked databases is being made available for downloads on several hacking forums and Telegram channels. Nature Society (Singapore) is one of the affected organizations.
The personal data of 5,131 members and non-members who had created membership and user accounts on the Nature Society (Singapore) ‘s website were affected in the Incident. Upon investigation, it was revealed that the possible attack vector was is an SQL injection attack which led to personal data on the Organisation’s website database being accessed and exfiltrated by unknown parties.
With this Incident, Nature Society (Singapore) was made to pay a financial penalty of S$14,000 as it admitted that it did not designate a DPO, it failed to develop and implement any personal data protection policy prior to the Incident, and it did not make reasonable security arrangements to protect the personal data on its website database.
We can get from this case the importance of appointing a DPO, which will be responsible for ensuring that an Organization complies with the PDPA. The PDPC laid down, in this case, its responsibilities as it plays a vital role in implementing and building a robust data protection framework.
January 2022 PDPC Incidents and Undertaking: JT Legal LLC
Completing this month’s published decisions is the case of JT Legal LLC, where the PDPC accepted the undertaking of the Organization regarding the email phishing attack, which allowed the threat actor to access and view files on JTL’s SharePoint.
Due to the Incident, approximately 1,006 individuals’ personal data was at risk, which comprises the names of individuals, addresses, email, NRIC numbers, and passport numbers. It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations.
We can infer from this case that although an Organization suffered from a data breach due to failure to put in place reasonable security arrangements, it does not necessarily mean that the Organization will face a hefty fine due to the data breach. In this case, due to JT Legal LLC’s prompt remedial actions, the PDPC only gave an undertaking that they need to follow and nothing else.