Lessons from PDPC Incident and Undertaking: August 2021 Cases
The latest decisions for the month of August of the Personal Data Protection Committee (PDPC) has been published on their official website.
Tasked with the administration and enforcement of Singapore’s Personal Data Protection Act (PDPA), the PDPC aims to balance the protection of individuals’ personal data with organizations’ need to use the data for legitimate purposes.
In doing so, PDPC publishes their decisions on their website, open to the perusal of any interested party on the internet. Thus, for better adherence with the data security standards, it is the bounden duty of business organizations to keep abreast with the latest PDPC incident and undertaking.
Let’s have a review of these August 2021 cases to learn a thing or two on cybersecurity.
Also Read: 5 Types of Ransomware, Distinguished
August 12: Singapore Telecommunications Limited, unsuccessful social engineering scam
Our first case of PDPC incident and undertaking involves Singapore Telecommunications Limited, or Singtel for short. The subject organization has reported to the PDPC in July 15 an incident that took place two days prior. According to the filed information, a threat actor was able to gain access to 17 subscriber accounts and has requested for issuance of new SIM cards and performance of other telco services, barring the rightful account owners from opening their account.
Singtel‘s investigations revealed that the incident was due to a coordinated social engineering tactics employed against their staff. Once the staff accounts were infiltrated, the perpetrator then gained control of subscriber accounts.
Fortunately, no evidence was found suggesting any damage to the Singtel IT System’s integrity. No data was reported to have been exfiltrated or compromised because of the incident since STL has enforced the following reasonable security arrangements:
- Password requirements in security policies, standards and guidelines were aligned to industry best practices;
- Systems and network enhancements were continually implemented to improve the security of applications and IT infrastructure;
- Comprehensive and annual mandatory training was conducted for all staff in relation to the requirements under the PDPA; and
- Reasonable security measures were in place for the work environment of all staff based locally and overseas.
With Singtel’s quick response, the effects of the breach was mitigated through suspension of compromised staff accounts and by password resets. Verily the Deputy Commissioner for Personal Data Protection decided that Singtel had met its Protection Obligation in the incident.
August 12: Equity Solution Pte Ltd, phishing scam remedial actions
Our second case of PDPC incident and undertaking involves Equity Solution Pte Ltd, or ESPL for short. This Singapore-based mortgage consultancy firm, was subjected to a phishing attack after an employee opened an email attachment laced with macro-enabled malware.
The breach that ensued lead to the exploitation of about 1,359 private individual data, including: individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information.
This is where hiring an outsourced DPO can help. Aside from the fact that it is mandatory under the PDPA, an outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA).
The PDPC found ESPL to have insufficient training for its staff on basic cybersecurity and data protection measures; plus, it has a weak IT security policy and no security risk management of some sort. Thus, the ESPL made efforts to address the raised concerns by improving its personal data protection practices, as reflected on their Undertaking.
The strategy involved a well-crafted remediation plan containing the herein enumerated procedures:
- Secured files and documents using password protection;
- Hardened its operating system;
- Implemented a strong password protection policy;
- Reviewed and updated its email usage policy;
- Implemented training and awareness programs for its employees; and
- Reviewed and updated its personal data protection policy.
After the PDPC’s evaluation, ESPL was found to have complied with the terms of the Undertaking.
These two cases of PDPC incident and undertaking are once again illustrative of the important role cybersecurity plays when it comes to compliance with the PDPA, or any private information protection policy for that matter.
By being up to date on the latest decisions of the Commission, your organization is further equipped with the appropriate knowledge through true-to-life incidents when it comes to handling data breaches.
This adds to your overall preparedness in the event that you face the same security compromises.
Also Read: Data Minimization; Why Bigger is Not Always Better