October 2021 PDPC Incidents and Undertaking
The October 2021 PDPC Incidents and Undertaking decisions of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website for the month of October. Four (4) cases were highlighted this month with decisions ranging from warnings and directions to whopping financial penalties for failure to put in place reasonable security arrangements to protect personal data in its possession and resulted in the personal data being exposed.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the October 2021 cases with the latest cybersecurity updates.
October 14: ChampionTutor Inc. Pte Ltd, SQL injection in its website
Our first case of PDPC incident and undertaking involves ChampionTutor Inc. Pte Ltd. It reported to the PDPC on February 24 that its database, containing personal data of individuals, was being sold on the dark web and the commission only notified the Organization.
The Organization has suspected that the cause could have been the SQL injection in its website as ChampionTutor knew of this vulnerability way back in December 2020 and instructed its developer to fix it, but it was left unfixed.
This resulted in a breach of 4,625 personal data, which includes the name, email address, contact number, and address. Thus, the Organization was awarded a financial penalty of SGD 10,000.
From this case, it can be deemed that an Organization must exercise diligence in patching vulnerabilities within its systems. This case also highlights the need for penetration testing to ensure that its system and networks are secure and not prone to any cyberattack.
As much as possible, whenever there are IT requests to be made, the Organization must see to it that it is executed to prevent any future problems.
October 14: Stylez Pte Ltd, Compromised testing database
Our second case of PDPC incident and undertaking involves Stylez Pte Ltd, where it suffered the same fate as ChampionTutor Inc. Pte.
The Portal was operated and created the Organization. In July 2016, it created a new Database containing data from the Portal to test Portal’s new function in a separate test environment. However, the testing database was compromised, and the data it contained was accessed and exfiltrated in December 2019.
This resulted in a breach of 9,983 individuals’ personal data, including their name, email address, and phone number. Thus, the Organization was fined a whopping SGD 37,500 for the incident and was directed to develop and implement internal data protection policies and practices to comply with the PDPA.
We can infer from this case that Organizations must undertake extraordinary measures to ensure that the data they use for legal and official business purposes will not be breached, or else an outstanding fine will be waiting.
Furthermore, it can also be deemed that, in comparison to the ChampionTutor case, the more personal data that was breached, the higher the penalty will be imposed. This must serve as a reminder to all Organizations that the PDPC does not take data breachers lightly, especially for those who handle and store a magnitude of sensitive data.
October 2021 PDPC Incidents and Undertaking: Warning and other directions
Completing this month’s published decisions are the following: The National Kidney Foundation, who received a warning from the PDPC with regards to an employee’s compromised email, and J & R Bossini Fashion Pte Ltd, who received directions after a ransomware attack affected the IT systems of the Organization’s group of companies.
We can infer from these cases that when there is a potential threat to the data managed by an Organization, it does not necessarily mean that these Organizations will be heavily fined outright.
When no data was breached due to the Organization’s prompt remedial actions, although there was infiltration due to failure to put in place reasonable security arrangements, a fine is not necessary, especially when where is active placement of extensive measures to prevent such incidents from happening in the future.