Privacy Ninja

PDPC new undertaking 2023: Nippon Express

PDPC new undertaking 2023
The PDPC new undertaking 2023 is here to serve as a case study for Singapore organisations

PDPC new undertaking 2023: Nippon Express Group

A new year, a new set of decisions and undertakings are upon us to look into to guide us in our cybersecurity compliance and path. All year round, these cases will pave the way for the organisations’ added security measures to keep bad actors at bay.

The PDPC new undertaking 2023 has been published on PDPC’s official website. For this month of January, one (1) case has been issued covering the undertaking given to Nippon Express after a malicious actor targeted it.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the PDPC new undertaking 2023 case with the latest cybersecurity updates to date.

This undertaking aims to ensure that organizations are aware of the latest advancements in cybersecurity and can take the necessary steps to protect the personal data they handle.

PDPC new undertaking 2023: Nippon Express

This month’s only decision involves Nippon Express’ undertaking by the Personal Data Protection Commission (PDPC). On November 14, 2021, Nippon was targeted by a bad actor, which resulted in its several servers and endpoints being encrypted with an unknown ransomware variant.

Nippon centrally manages such servers, and at the time of the incident, the affected servers contained not only the personal data from the organisation itself but also the personal data of Nippon Express (South Asia & Oceania) Pte Ltd and NEX Global Engineering Pte Ltd.

With this, the personal data of 1,077 individuals were affected, including their names, addresses, telephone numbers, NRIC numbers, passport numbers, photographs, date of birth, health information, and financial information.

Upon investigation, it was found that Nippon Express lacked MFA for administrative and remote access to all systems; and inadequate security reviews to identify vulnerabilities within its infrastructure.

With this, Nippon Express implemented the following remedial actions:

(a) Implemented MFA for all administrative and remote access;
(b) Reviewed Active Directory accounts;
(c) Performed an external and internal vulnerability assessment;
(d) Ensured all software and operating systems were updated with patches;
(e) Ensured the usage of strong passwords;
(f) Implemented enterprise-grade anti-virus software;
(g) Implemented 3-2-1 backup rule; and
(h) Remove remote access tools.

After considering the facts of the case, including Nippon Express Group’s remedial actions to enhance its personal data protection procedures, the Commission accepted Nippon Express’s undertaking to strengthen its compliance with the Personal Data Protection Act 2012.

Bad actors are lurking, conduct a pen test now to check if your organisation has vulnerabilities that they can exploit!

Penetration testing to combat vulnerabilities

With bad actors lurking around, an organisation must not have vulnerabilities lying around. Since the naked eye cannot see this, it is a best practice for every organisation in Singapore to conduct periodic penetration testing to ensure that every vulnerability present is identified and patched up so that bad actors can’t get a hold of them. 

Privacy Ninja can assist you in this endeavor by providing penetration testing services, which check if your organisation has vulnerabilities that could be exploited by bad actors, whether in your email environment or your organisation in general. 

Privacy Ninja has years of experience in cybersecurity and offers quality services, as evidenced by the feedback from its clients as the years go by. It is a licensed VAPT provider (Penetration Testing Service License No. CS/PTS/C-2022-0128) and has the best team of professionals who are experts in their field, leaving no stone unturned in checking for any vulnerabilities in your system or organisation as a whole. 

Moreover, we work hand in hand with our clients and deliver results on time, especially when there is a hint of vulnerabilities that need to be checked. Most importantly, Privacy Ninja has a Price Beat Guarantee, which makes the service even more affordable but will not leave the quality of services each client deserves. 

What are you waiting for? Choose Privacy Ninja now as your penetration testing partner and experience the quality of services brought to you by cybersecurity experts at an affordable price, Price Beat Guarantee!

Watch Nippon Express Singapore Malicious Attack



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us