Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Why protecting customer information matters: The case of MyRepublic

protecting customer information
Organizations must practice due diligence in protecting customer information or face a potential financial penalty of up to S$1,000,000.

On MyRepublic and protecting customer information

The Personal Data Protection Commission (PDPC) has recently published this month’s decision. For September, only one case has been issued covering the financial penalty given to MyRepublic. Their PDPA violation? Failure to protect the personal data of their customers.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at this month’s only case with the latest cybersecurity updates to date and answer the question as to why protecting customer information matters.

Whenever there is a failure of the organisation to protect customer information, or there has been a leak of personal data that the organisation is handling, there is a risk of losing the trust of the loyal customers and potential future clients.

September 15: The financial penalty imposed on MyRepublic

Our lone case this month involves MyRepublic. On 29 August 2021, the PDPC was informed that MyRepublic had been the subject of a cyber incident. According to the organisation, the bad actor had exfiltrated and deleted the personal data of its customers from its IT systems.

MyRepublic is a local telco provider that accepts customer orders for mobile services through its Mobile Order Portal. With this portal, the customers would submit their customer identity verification and number portability documents, which are also known as “KYC documents”.

The portal would store these KYC documents in the cloud obtained from Amazon Web Services (AWS) and will only be accessible through an access key. However, MyRepublic was made aware that a bad actor had accessed these KYC documents without any idea how the bad actor got hold of the access key.

The organisation determined that the bad actor had likely obtained the access key through the portal’s functionality which displayed technical information and disclosed the access key in the portal’s source code repository.

The incident resulted in the access and exfiltration of the personal data of the organisation’s 79,388 customers. For breaching the Protection Obligation under the PDPA, the Commission ordered MyRepublic to pay a whopping S$60,000 financial penalty.

How is your organisation’s cybersecurity posture? Be sure you have sufficient tools, people, and processes to protect your organisation’s “oil” — customer information in your possession.

What can we get from this case?

This incident highlights the importance of removing configuration files that may be present in a Portal, as this may expose the access keys that bad actors must not get hold of.

Furthermore, for better security, organisations must only access the KYL Documents stored in the cloud using specific IP addresses through a block-all-with-exception policy.

Lastly, notwithstanding that the data was hosted on a vendor’s cloud service, it is the duty of the organisation to implement reasonable security arrangements to prevent the risk of unauthorised disclosure of Customer Data. This is true when the organisation retains control over such data.

Your data protection officer works with you to make sure that when it comes to third-party service providers, your contract covers the full security measures that both parties must take to protect the personal data in your management.

Why protecting customer information matters

Given this case, it is necessary for organizations to practice due diligence in protecting customer information or else face a whopping financial penalty of up to S$1,000,000. But this is not all of it.

Whenever there is a failure of the organisation to protect customer information, or there has been a leak of personal data that the organisation is handling, this could result in the loss of trust from the loyal customers and potential future clients. Furthermore, this could also mean besmirching the brand trust that took years to build.

With this, we can conclude that when an organisation is not careful enough in handling personal data, this could possibly mean the end of the organisation. This is why protecting customer information matters, as a lot could be lost from the organization if it is not careful in handling it.

Also Read: Vulnerability assessment Singapore: The complete checklist



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us