Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Personal data protection in the MCST context: 3 Case studies

Personal data protection in the MCST context
MCSTs are organisations that also need to comply with the PDPA.

Personal data protection in the MCST context: 3 Case studies

MCSTs are organisations that also need to comply with the PDPA. Since they process personal data, there is a need for them to comply with the PDPA obligations for the protection of personal data. Failure to do so means they can be liable for a financial penalty and other consequences accompanied by it.

The following are Decisions covering MCST and the things we can learn from their mistakes for our benefit:

MCSTs can be liable under the PDPA

Breach of PDPA obligation by MCST 3400

Our first case involves MCST 3400, where the PDPC was notified that a directory containing personal data from MCST Title Plan No. 3400 could be accessed on the internet by anyone. Prior to the incident, the MCST purchased a Network Attached Storage Device (NAS)  for its internal file sharing among its administrative staff over a local network.

The MCST Title Plan No. 3400 (Directory) was one of the files stored in the NAS and contained the personal data of 562 affected individuals. The organisation did not intend for the NAS to be connected to the internet, and the organisation, prior to the incident, did not know that it could be accessed through it. Upon discovery, the organisation promptly disconnected it. With this incident, luckily, the organisation was only given a warning.

What we can learn from this case is how important it is to set up reasonable security measures to protect personal data and prevent the Protection Obligation breach. This includes:

  • Doing code reviews and pre-launch testing before deploying any new IT features or changes to existing IT systems.
    • In this case, NAS was used. Before a new IT feature or system is put into use, these processes help MCSTs find and fix any bugs or mistakes in it. There have been a number of cases where mistakes in the application code led to the accidental release or access of personal information.
  • Checking the security of their IT systems every so often. The scope of these security reviews should depend on how the organisation thinks its data protection needs should be met.
    • This could have discovered the problem of the NAS’ possible connectivity to the internet.
  • Using up-to-date online vulnerability scanning tools as part of the regular security checks of their IT systems.
    • Organisations should also learn how to use these tools well or get help from companies like Privacy Ninja that have the right expertise. When organisations use these kinds of tools, they have a good chance of finding common security holes in their IT systems.
Since MCSTs process personal data, there is a need for them to comply with the PDPA obligations for the protection of personal data.

Breach of PDPA obligation by MCST 3593 and New-E Security

Our next case involves MCST Title Plan No. 3593 and others where the PDPC was notified of the unauthorized disclosure of CCTV footage recorded at the premises of MCST 3593 by New-E Security.

This happened because an employee of the New-E Security sent CCTV Footage to the person requesting it where it had captured images of identifiable individuals who passed through the premises. The requested CCTV Footage was uploaded online through a Facebook Post. With this incident, MCST 3593 was made to pay a financial penalty of $5,000, and New-E Security was tasked to put in place a data protection policy and internal guidelines, including procedures for proper management and access control in respect of CCTV footage.

What we can get from this case is the importance of employing a Data Protection Officer. Such absence was the reason why there had been no data protection policies set in place with regards to the disclosure of the CCTV footage. Not only that it is necessary for every organisation’s data compliance, it is also required under the PDPA.

A DPO could have ensured that there would be no instances of CCTV footage transmission, and training for employees could have been employed for their awareness of the PDPA compliance and other relevant rules. 

MCSTs should ensure that their employees are well aware of the data protection policies to avoid data breach.

Breach of PDPA obligation by MCST 4375 and A Best Security Management (ABSM)

Our last case involves MCST Title Plan No. 4375 and others where the PDPC became aware of a CCTV footage uploaded online showing a glass door falling down on a woman at the premises of the MCST 4375.

This happened because an employee of ABSM recorded CCTV footage of the incident and transmitted it to others via What’sApp, which ended up being uploaded on YouTube. With this incident, the PDPC found out that both MCST and ABSM were in breach of the PDPA. Luckily, they were only given directions to follow.

What we can get from this case is the importance of employee awareness with regard to data protection policies and compliance. Employees are considered the weakest link toward robust cybersecurity hygiene; that is why it is important that cybersecurity efforts will be focused on them.

One of the directions given the MCST 4375 and ABSM were to implement necessary policies and security arrangements for the protection of personal data and to conduct training for its employees so that these instances will not happen again.

Do’s and Don’ts for MCSTs

1. Do ensure you have the people’s permission and let them know before you share or publish their personal information, especially if it’s not public information.

2. Do ensure that the MCST has all the security measures it needs to protect documents that contain information that can be used to identify a person. This could mean hiring third-party providers to do vulnerability assessments before a system goes live and putting in place policies for password protection if needed.

3. Do limit the number of copies of sensitive personal information to lower the risk of breaching the PDPA.

4. Don’t assume that a hired data intermediary, like a security service, is the only one responsible for protecting personal data.

5. Don’t give out or publish more personal information or keep it out there for longer than you need to.

Also Read: Data governance framework: What organisations in Singapore should know



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us