New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 11 May 2023

  • Développement en droit 8 juin 2023 8 juin 2023
  • Asie-Pacifique

  • Protection des données et de la vie privée

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 11 May 2023.

In total, there were 3 enforcement decisions (Kingsforce Management Services case, Fortytwo case and The Law Society of Singapore case) and 1 voluntary undertaking (SpeeDoc case) published. 

In this client update, we summarise the decisions and undertakings and present our key takeaways.1

Key takeaways: 

There are several key takeaways from these recent decisions and undertaking:

  1. In the Kingsforce Management Services case, the organisation was found in breach of section 24 (“Protection Obligation”) of the Personal Data Protection Act (“PDPA”) as more than 50,000 jobseeker datasets were leaked due to outdated website coding technology that contained critical vulnerabilities. Two protection obligations were breached by the organisation. First, it failed to provide clarity and specifications to its vendors on how to protect its database and personal data. Second, it failed to conduct reasonable periodic security reviews, including vulnerability scans since the launch of its website. The Kingsforce Management Services case is significant as no financial penalty was awarded by the PDPC despite a substantial leak of jobseeker datasets. Instead, a number of directives focused on rectification and prevention of future breaches were issued to the organisation. The case highlights the importance of key mitigating factors considered by the PDPC, such as the organisation’s efforts towards website security, cooperation during investigation, voluntary admission of breach of the Protection Obligation and prompt remediation by the organisation. 
  2. In the Fortytwo case, malicious code injections on its website led to the capture of credit card details belonging to close to 100 individuals, and the email addresses and passwords belonging to more than 6,000 individuals. The organisation was found in breach of the Protection Obligation and was fined S$8,000 along with other rectification directives from the PDPC. The Fortytwo case highlights the importance of applying software patches promptly to fix security vulnerabilities. The organisation had considered and evaluated four patches but decided to hold back on installing them, thereby increasing the risks of malicious code injections. The PDPC also provided much needed clarity on whether fictitious names or pseudonymous personal particulars form part of the personal data under the possession or control of an organisation.  The PDPA defines “personal data” to be data, whether true or not. Therefore, an organisation’s obligations under the PDPA to protect and ensure that such data are used in accordance with the purpose of collection applies to the entire customer database regardless of the accuracy (or inaccuracy) of the personal data in its possession or control.
  3. In the Law Society of Singapore (“LawSoc”) case, a threat actor gained access to the IT administrator’s account and executed a ransomware attack on the servers. This led to more than 16,000 members’ personal data being affected in the incident. LawSoc was found to have negligently breached the Protection Obligation by (i) using an easily guessable password for the compromised admin account, (ii) failing to change the password for the compromised admin account at reasonable intervals, and (iii) failing to conduct any periodic security reviews in the three years leading up to the Incident. In arriving at its decision, the PDPC referred to its published Guide to Data Protection Practices for ICT systems and emphasised that the adoption of 2FA or MFA should become the norm for accounts with administrative privileges, for systems managing sensitive data or large volumes of personal data.
  4. In the SpeeDoc case, the organisation’s AWS3 bucket was incorrectly configured which enabled public access to the personal data of more than 12,000 individuals. To prevent a recurrence of a similar incident, SpeeDoc took immediate remedial action to address the cause of the personal data breach. The SpeeDoc case is significant as the remedial actions were extensive and took almost 3 years to complete. The PDPC was first notified of the incident about 3 years ago (27 October 2020) and the target completion date of various remedial actions were of a broad range. These remedial actions consisted of various security trainings for internal staff, formation of a security team, development of various internal policies and procedures, third-party audit and ISO 27001 Certification. It highlights that the PDPC is prepared to implement long term remedial actions for an undertaking, given a sufficiently complex case with substantial leak of personal data.
Name of Decision / Undertaking Summary of Incident Type of Potential Breach of the PDPA Complaint / Self-reported Number of affected individuals; Types of personal data affected  Outcome
Kingsforce Management Services

Personal Data breach

Jobseeker datasets were leaked due to outdated website coding technology that contained critical vulnerabilities. As the website was not completed at launch owing to contractual disputes, Kingsforce Management Services subsequently engaged IT maintenance vendors. However, such maintenance was ad-hoc and limited. 
 

Protection Obligation 

The PDPC held that Kingsforce Management Services failed to:

  • Provide sufficient clarity and specifications to its vendors on how to protect its database and personal data;
  • Conduct reasonable periodic security reviews, including vulnerability scans, since the launch of its website.
Self-reported

54,900 individuals

Personal data affected included:

  • Names
  • Addresses
  • Email address
  • Telephone numbers
  • Date of birth
  • Job qualifications
  • Last and expected salary
  • Highest qualification and other data related to job searches
  • No financial penalty
  • Various directives issued by the PDPC with deadlines for rectification and prevention of future occurrences. These include regular patching, updates and upgrades.
Fortytwo Pte. Ltd.

Personal Data breach

Fortytwo was the subject of an unauthorised access to its IT network. Malicious code injections led to the capture of credit card details, email addresses and passwords of individuals when they logged in to its website.

Protection Obligation 

The PDPC held that:

  • Fortytwo’s failure to patch had increased the risks of a malicious code injection capable of capturing users’ personal data. Four patches were released by Adobe to address several high severity risk issues and critical bugs. However, upon evaluation Fortytwo decided to hold back on installing them;
  • Notwithstanding the disruptions caused by the pandemic, Fortytwo had been given ample notice of the impending end of support but took no action to perform the necessary upgrade from November 2015 to early 2020.
Self-reported

For 6,241 individuals, personal data affected included:

  • Email Addresses
  • Passwords

For 98 individuals, personal data affected included:

  • Names
  • Credit card numbers
  • Expiry dates
  • CVV/CVN numbers
  • Fine of SGD8,000
  • Further rectification directives issued by the PDPC such as upgrading of Fortytwo’s website, vulnerability assessment and penetration testing. 
The Law Society of Singapore

Personal Data Breach

LawSoc was the subject of a ransomware attack.

The threat actor gained access to the account of the Organisation’s IT administrator 
and created a new account with full administrative privileges to execute a ransomware attack on the servers, encrypting their contents. 

Protection Obligation 

The PDPC held that LawSoc is found to have negligently breached the Protection Obligation by:

  • Using an easily guessable password for the compromised admin account;
  • Failing to change the password for the compromised admin account at reasonable intervals;
  • Failing to conduct any periodic security reviews in the three years leading up to the Incident.
Self-reported

16,009 individuals 

Personal data affected: 

  • Names
  • Residential addresses
  • Date of birth  
  • NRIC numbers
     
  • No financial penalty

  • Various directives issued by the PDPC for a security audit and rectification of security gaps identified in the security audit report

     

SpeeDoc Pte. Ltd.

Personal Data Breach

SpeeDoc’s AWS3 bucket was incorrectly configured which enabled public access to the personal data stored within. 

Consequently, the personal data of 12,652 individuals was exposed to public access. 

Protection Obligation 

  • The PDPC carried out investigations into certain acts and practices of SpeeDoc and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the provisions in the PDPA. 
  • SpeeDoc was cooperative with the investigation process and took immediate remedial actions to prevent a recurrence of a similar incident, including:
    • Formation of a security team
    • Security training for Engineering team
    • ISO 27001 Certification
    • IT Operating Procedure Policy
    • Systems Acquisition and Development Security Policy
    • Incident Management Procedures
    • Third-party Security Audit
    • Security Awareness Training for staff
    • Training for InfoSec staff
  • A voluntary undertaking was submitted by SpeeDoc to the PDPC.
Self-reported

12,652 individuals 

Personal data affected: 

  • Names
  • Phone numbers
  • Email addresses
  • NRIC numbers
  • Lab test results
  • Profile pictures
  • Photos of symptoms and medicines
  • Voluntary Undertaking; no admission of breach of the PDPA

To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below.


1 The author would like to thank legal intern Shawn Yep for his assistance with this article. 

Fin

Restez au fait des nouvelles de Clyde & Cie

Inscrivez-vous pour recevoir de nos nouvelles par courriel (en anglais) directement dans votre boîte de réception!