PDPC’s March 2023 decisions: Sembcorp Marine and Eatigo International

PDPC’s March 2023 decisions: Sembcorp Marine and Eatigo International

The March 2023 PDPC decisions have been published on PDPC’s official website. For this month, two (2) cases have been issued covering the “not in breach” decision given to Sembcorp Marine and the financial penalty of Eatigo International. 

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC decisions and undertakings.

Let’s have a look at the March 2023 cases with the latest cybersecurity updates to date.

March 10: “Not in breach” decision given to Sembcorp Marine 

On July 25, 2022, Sembcorp notified the PDPC of a data breach that happened through the exploitation of the Log4J zero-day vulnerability. With this incident, a total of 25,925 personal data of individuals were exfiltrated. This includes their name, address, email address, NRIC number, telephone number, passport number, photograph, and date of birth, among others. 

Investigations reveal that the bad actor exploited three Log4J vulnerabilities present in an application to gain unauthorised access to the Organisation’s server. It was also revealed that the threat actor deployed the “Cobalt Strike” beacon, conducted reconnaissance, and made lateral movements across several machines before exfiltrating data and deploying ransomware. 

After finding out about the Log4J vulnerability, Sembcorp took prompt action to identify instances of Log4J vulnerabilities across all the software applications it was using. The Organisation then implemented workarounds recommended by its vendors for systems whose patches were not available or had not been released. 

The PDPC was satisfied with Sembcorp’s prompt remedial actions and declared that there was no need for an enforcement action in relation to the incident.

What did we get from this case?

The prompt response of an organisation towards the incident can be a mitigating circumstance that could potentially remove the impending financial penalty. Moreover, conducting regular penetration testing can go a long way. 

This is because when you spot vulnerabilities in your system before bad actors do and perform the necessary remediations or fixes, bad actors will not be able to exploit such vulnerabilities and cause a data breach.

March 10: Breach of Protection Obligation by Eatigo International

Completing this month’s PDPC cases for the month of March is the case of Eatigo International. On October 29, 2020, the PDPC was notified about a possible data leak by Eatigo. It was found out that a cache of personal data that was suspected to be from the Organisation’s database was being offered for sale on an online forum.

This affected database contained personal data relating to approximately 2.8 million individuals, encompassing personal data such as passwords, access IDs, and Facebook tokens.

Investigations reveal that the personal data for sale on the online forum did not match any current databases in use by Eatigo at the time of the incident. However, this matched the structure of a legacy database which contained user data as of late 2018, the database they used prior to their migration to their current online platform.

After the migration, the affected database was not included in the Organisation’s Virtual Private Network infrastructure. Unfortunately, as Eatigo transitioned to a new engineering team, no one in the Organisation had knowledge of the affected database.

Investigations further revealed that no such password rotation rules were implemented for the affected database, unlike in the current online platform. There were no security reviews conducted, no system in place to monitor the exfiltration of large volumes of data, and no personal data asset inventory or access logs were maintained. 

With this, Eatigo International failed to implement reasonable security arrangements to protect the affected database from the risk of unauthorised access. For breaching the Protection Obligation under the PDPA, Eatigo International was made to pay a whopping financial penalty of S$62,400.

What did we get from this case?

For organisations with substantial personal data assets, the maintenance of an accurate and up-to-date personal data asset inventory is a prerequisite for complying with the Protection Obligation. This is to ensure that every personal data is accounted for and for tracking purposes. It is a good practice that would assist organisations in complying with the PDPA. 

Moreover, when an organisation handles a high volume of personal data, it is incumbent upon them to implement policies and practices to meet such security needs to discharge its obligation under the Protection Obligation.

How a DPO can help

Your appointed DPO can work with you on your PDPA compliance, ensuring that there will be policies in place to make sure that the handling of personal data is PDPA compliant. This includes making sure that your Organisation is maintaining a proper personal data asset inventory and that it is promptly coordinating with the PDPC in case of breach. 

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.