November 2021 PDPC Incidents and Undertaking
The November 2021 PDPC Incidents and Undertaking decisions of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. Three (3) cases were highlighted this month, with decisions ranging from no breach at all, to whopping financial penalties for failure to put in place reasonable security arrangements to protect personal data in its possession, which resulted in the personal data being exposed.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the November 2021 cases with the latest cybersecurity updates.
November 14: Giordano Originals (s) Pte Ltd, unauthorized network entry and ransomware infection
Our first case of PDPC incidents and undertaking involves Giordano Originals (s) Pte Ltd. There has been a report to the PDPC that on or about July 12, 2020, an unauthorized network entry and ransomware infection at the OS and server-level occurred.
Through the Organization’s own and independent investigation, it has been found that the unauthorized entry had most likely occurred through the use of compromised credentials obtained through phishing.
As a result, the personal data of 790,000 of the Organization’s members and 184 employees in encrypted form were affected. However, the PDPC did not impose any fine as it was found that:
- The Organization had in place reasonable security measures that are consistent with the recommendations;
- The Organization had installed and deployed various endpoint security solutions;
- The Organization also conducted regular periodic system maintenance, reviews, and updates;
- The Organization ensured that its data was regularly and automatically backed-up;
- The Organization had also taken steps to protect better the personal data affected.
In this case, we can infer that when there are breaches, it does not automatically mean that the PDPC will impose a fine. This case is a landmark case that every Organization should look up to as it emphasized how an Organization can avoid a hefty fine by simply following the cybersecurity recommendations of the PDPC laid in the PDPA.
In the case at bar, since Giordano Originals (s) Pte Ltd had followed and laid safeguards to prevent breaches from happening, and they had a process of what to do during attacks which involve restoring from back-ups and further strengthening their cybersecurity posture, the PDPC ruled that Giordano Originals (s) Pte Ltd have met its Protection Obligation under Section 24 of the PDPA.
November 14: Commeasure Pte Ltd, data breach affecting 5,892,843 customer records
Our second case of PDPC incidents and undertaking involves Commeasure Pte Ltd, where was it made to pay by the PDPC a hefty fine of 74,000 SGD for such personal data breach.
On September 19, 2020, the Commission received information that the Organization’s database had been accessed and exfiltrated. Upon investigating, the cause of the breach was due to the Amazon Web Services (“AWS”) access key publicly available to the public, embedded within the Android application package (APK) by which anyone can download.
Such APK was created sometime in 2015 when the Organization was still new. The subject APK was regarded as “defunct,” that is why when it conducted penetration testing to see if there were any vulnerabilities, the APK was not within the scope of the test.
Because of the incident, the Organization was made to pay a hefty fine of 74,000 SGD for the database breach, which affected 5,892,843 customers. The Commission highlighted that even though there were IT security reviews conducted, it was not enough. The Commission also stated that this case was the largest data breach in history
With this case, we can infer that an Organization must be keen on their services offered, especially if it is still new. Furthermore, it must be highlighted that before a service is made public, it must first run through penetrating testing and not after it becomes available for any user to use. This way, any early vulnerabilities will not be exploited after it becomes live.
November 2021 PDPC Incidents and Undertaking: Fujioh International Trading Pte Ltd
Completing this month’s published decisions is the case of Fujioh International Trading Pte Ltd, where the PDPC accepted the undertaking of the Organization regarding the personal data that was exposed in its Online Warranty System found on its website.
Due to the incident, the personal data of 2,771 individuals were affected, which comprises the names of individuals, addresses, email, and telephone numbers.
We can infer from this case that when there is a potential threat to the data managed by an Organization, it does not necessarily mean that these Organizations will be heavily fined outright.
When no data was breached due to the Organization’s prompt remedial actions, although there was infiltration due to failure to put in place reasonable security arrangements, a fine is not necessary, especially when there is active placement of extensive measures to prevent such incidents from happening in the future.
Also Read: Tools for penetration testing to choose from