September 2021 PDPC Incidents and Undertaking: Lessons from the Cases

September 2021 PDPC Incidents and Undertaking

For the month of September, the latest decisions and undertaking of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. There are several cases highlighted this month, with decisions ranging from directions to hefty financial penalties.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for better observance of organizations with such standards, it is their bounden duty to be kept updated with the latest PDPC incident and undertaking. 

Let’s have a look at the September 2021 cases with the latest cybersecurity updates.

Also Read: The 5 Important Things to Know in Security Pen Testing

September 21: Financial penalty for companies failing to put in place reasonable security arrangements to protect personal data

Under the published decisions, our first case involves Seriously Keto Pte. Ltd. On June 16, 2020, the subject organisation notified the Personal Data Protection Commission of a ransomware infection that occurred on or about June 15, 2020. Approximately 3,073 individuals’ names, addresses, email addresses and telephone numbers were affected with this incident. With this, the Deputy Commissioner for Personal Data Protection fined Seriously Keto Pte. Ltd $8,000 for its negligence.

It’s clear from the incident above that vulnerability in a company’s digital infrastructure may lead to potential ransomware infection and other serious damage. Thus, organisations must make it a priority to conduct regular network assessment and penetration testing.

Sendtech Pte. Ltd. suffered the same decision as it was fined $9,000 due to failure to place reasonable security arrangements that resulted to breach of information of 64,196 customers and 3,401 contractors and the contactors’ employees because of an unauthorized access to the Organization’s Amazon Web Services (AWS) account via an access key.

Similar to Seriously Keto’s case, this incident could have been prevented if regular network assessment and audit trail (among others) were conducted.

Our third incident is a case of personnel carelessness due to inadequate PDPA training. SAP Asia Pte. Ltd. was also fined heavily due to disclosing payroll information of former employees to the wrong email recipients. With this, the company was made to pay a whopping $13,500 fine. 

The last organisation penalized financially this month is Larsen & Toubro Infotech Limited (Singapore Branch), whereby they were fined $7,000. This was due to an LTI employee’s negligence in sending an email reminder to 54 job applicants with their name and other confidential information, and placed in the “To” field and thus visible to all recipients.

Directions and a warning

Completing this month’s published decisions are the following: Specialized Asia Pacific, who received warning from the Commission after their quick remediation steps prevented a potential data breach, and both NUInternational Singapore and Newcastle Research and Innovation Institute, who received directions after they were found guilty of violating the Transfer Limitation Obligation.

With these cases, we can infer from that the Personal Data Protection Commission does not take lightly breaches of personal and sensitive information, whether it be accidental e-mail sent to a wrong recipient or a ransomware attack.

It should be noted by companies and organizations that the personal and sensitive information of employees should be their first priority because if not, the Personal Data Protection Commission (PDPC) will always be there to impose sanctions to them.

September 21: MindChamps PreSchool Limited; data breach remedial actions

On February 27, 2020, the Personal Data Protection Commission received information that the users of MindChamps Preschool Limited’s personal information in its mobile application was publicly accessible via an internet link. Approximately 6,521 individuals’ personal data were affected namely, email addresses, login passwords and mobile numbers. Furthermore, 607 minors’ birth certificate were at risk of being disclosed by anyone.

Such undertaking provides that MindChamps was to:

(a) engage an external IT consultant to determine the cause of the incident; 
(b) perform a password reset for all the user accounts of its mobile application; and 
(c) migrate all users to a newly designed mobile application. 

Having considered the circumstances of MindChamps Preschool Limited’s case, including the remedies it is willing to undertake to improve its data protection practices, the Personal Data Protection Commission accepted an undertaking to improve MindChamps’ compliance with the Personal Data Protection Act 2012.

The undertaking that was executed on the 7th of January 2021 provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. Furthermore, trainings for its employees will be conducted by MindChamps alongside ensuring their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects.

Also Read: A Review of PDPC Undertakings July 2021 Cases

Cyber hygiene awareness at the forefront

Many of the published incidents this month can be traced back to two lapses: lack of PDPA training among personnel and failure to conduct regular vulnerability assessment and penetration testing. With cyber incidents at an unprecedented high due to digital acceleration and the modern business landscape, organisations must prioritise cyber hygiene awareness.