Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

October 2021 PDPC Incidents and Undertaking: Lessons from the Cases

October 2021 PDPC Incidents and Undertaking

October 2021 PDPC Incidents and Undertaking

The October 2021 PDPC Incidents and Undertaking decisions of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website for the month of October. Four (4) cases were highlighted this month with decisions ranging from warnings and directions to whopping financial penalties for failure to put in place reasonable security arrangements to protect personal data in its possession and resulted in the personal data being exposed.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the October 2021 cases with the latest cybersecurity updates.

Also Read: Revised Technology Risk Management Guidelines of Singapore

October 14: ChampionTutor Inc. Pte Ltd, SQL injection in its website

Our first case of PDPC incident and undertaking involves ChampionTutor Inc. Pte Ltd. It reported to the PDPC on February 24 that its database, containing personal data of individuals, was being sold on the dark web and the commission only notified the Organization.

The Organization has suspected that the cause could have been the SQL injection in its website as ChampionTutor knew of this vulnerability way back in December 2020 and instructed its developer to fix it, but it was left unfixed.

This resulted in a breach of 4,625 personal data, which includes the name, email address, contact number, and address. Thus, the Organization was awarded a financial penalty of SGD 10,000.

From this case, it can be deemed that an Organization must exercise diligence in patching vulnerabilities within its systems. This case also highlights the need for penetration testing to ensure that its system and networks are secure and not prone to any cyberattack.

As much as possible, whenever there are IT requests to be made, the Organization must see to it that it is executed to prevent any future problems.

October 2021 PDPC Incidents and Undertaking

October 14: Stylez Pte Ltd, Compromised testing database

Our second case of PDPC incident and undertaking involves Stylez Pte Ltd, where it suffered the same fate as ChampionTutor Inc. Pte.

The Portal was operated and created the Organization. In July 2016, it created a new Database containing data from the Portal to test Portal’s new function in a separate test environment. However, the testing database was compromised, and the data it contained was accessed and exfiltrated in December 2019.

This resulted in a breach of 9,983 individuals’ personal data, including their name, email address, and phone number. Thus, the Organization was fined a whopping SGD 37,500 for the incident and was directed to develop and implement internal data protection policies and practices to comply with the PDPA.

We can infer from this case that Organizations must undertake extraordinary measures to ensure that the data they use for legal and official business purposes will not be breached, or else an outstanding fine will be waiting.

Furthermore, it can also be deemed that, in comparison to the ChampionTutor case, the more personal data that was breached, the higher the penalty will be imposed. This must serve as a reminder to all Organizations that the PDPC does not take data breachers lightly, especially for those who handle and store a magnitude of sensitive data.

October 2021 PDPC Incidents and Undertaking: Warning and other directions

Completing this month’s published decisions are the following: The National Kidney Foundation, who received a warning from the PDPC with regards to an employee’s compromised email, and J & R Bossini Fashion Pte Ltd, who received directions after a ransomware attack affected the IT systems of the Organization’s group of companies.

We can infer from these cases that when there is a potential threat to the data managed by an Organization, it does not necessarily mean that these Organizations will be heavily fined outright.

When no data was breached due to the Organization’s prompt remedial actions, although there was infiltration due to failure to put in place reasonable security arrangements, a fine is not necessary, especially when where is active placement of extensive measures to prevent such incidents from happening in the future.

Also Read: Data Protection Act of Singapore: Validity in the Post-pandemic World



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us