New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 23 May 2024

  • Développement en droit 7 juin 2024 7 juin 2024
  • Asie-Pacifique

  • Technology risk

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 23 May 2024.

In total, there were 3 enforcement decisions and 6 voluntary undertakings published. The enforcement decisions are the Cortina Watch case, Horizon Fast Ferry case and PPLingo case. The voluntary undertakings are the Protemps Employment Services Pte Ltd case, C M R (Far East) Pte Ltd case, Focus Adventure Pte Ltd case, J Rental Centre Pte Ltd case, Ticketmaster-Singapore Pte Ltd case and Methodist Welfare Services case.

In this client update, we summarise the decisions and undertakings and present our key takeaways.[1]

Key takeaways:

  1. The PDPC has constantly emphasised the need for organisations to put reasonable security arrangements in place to protect the personal data in its possession or control. The PDPC highlighted two major measures in both the Cortina Watch case and the PPLingo case:
    1. Robust password policy: Organisations must adopt, implement, and enforce a strong password policy. A password policy that mandates a minimum level of password complexity, and a fixed period of password validity or regular change of passwords, amongst others, are basic practices of proper authentication and authorisation processes. In PPLingo, the only password requirement was a minimum length of 8 characters and the password used for the administrator’s account was “lingoace123” which was easily guessable, leading PDPC to conclude that the password policy was inadequate, breaching the Protection Obligation. Likewise, Cortina Watch only had the minimum length of 8 characters requirement which was insufficient.
    2. Multi-factor authentication (“MFA”): The PDPC rehashed that MFA should be implemented as a baseline requirement for privileged accounts with remote access to confidential or sensitive personal data or large volumes of personal data. In Cortina Watch, despite having access to personal data of a confidential or sensitive nature, the organisation had neglected to implement MFA. This, among other reasons, led the PDPC to decide that the organisation was in breach of the Protection Obligation.
       
  2. In Horizon Fast Ferry, the PDPC highlighted the importance of vendor management. Organisations should have written policies and procedures for vendor management or policies relating to how outsourced vendors should ensure the protection of personal data when handling personal data, as well as written formal contractual agreements to clarify the job scope, responsibilities and competencies required of the service provider. In Horizon Fast Ferry, the PDPC took note that Horizon Fast Ferry had failed to ensure that the IT Support Vendor was sufficiently competent to administer the organisation’s Ubuntu operating system. Similarly, in Protemps Employment Services, as data protection and job specifications were not clearly defined, there were deficiencies in vendor management for security maintenance, contributing to the conclusion the organisation was wanting in its cybersecurity and data protection practices.
     
  3. On a related note, organisations should provide training for their employees on cybersecurity and data protection issues as well. The failure to do so was one of the reasons why the PDPC determined Methodist Welfare Services to be wanting in its cybersecurity and data protection services.
     
  4. Organisations are expected, as a basic requirement, to designate a DPO to be responsible for ensuring that the organisation complies with the PDPA. The failure to do so would be a breach of the Accountability Obligation. PPLingo had only appointed a DPO after the incident on 18 May 2022, more than 5 years after the organsation’s incorporation, breaching the Accountability Obligation.
     
  5. The PDPC recommends that organisations, as a basic practice, develop an ICT policy that covers the critical aspects in IT security such as account and access control, password, email, IT risk management, asset and configuration, backup and recovery, hardening and patching. Horizon Fast Ferry, Protemps Employment Services, and Focus Adventure had failed in developing and documenting such policies, leading the PDPC to conclude that these organisations were lacklustre in its cybersecurity and data protection practices.
     
  6.  Organisations should, as a basic practice, equip networks with defence devices such as firewalls to protect computer networks connected to the Internet. Horizon Fast Ferry had failed to do so.
     
  7. Common between a few of the Undertakings cases was the lack of periodic security review. Protemps Employment Services had failed to carry out periodic security reviews with vulnerability scans to test its website vulnerability prior to the incident. Focus Adventure had failed to carry out periodic security reviews of its unpatched servers. J Rental Centre had failed to test its website for security vulnerabilities prior to its launch or at regular intervals thereafter. Ticketmaster-Singapore failed to detect the misconfiguration in their software which caused the incident due to the limited testing conducted after their software upgrade. The fact that PDPC pointed this out in several cases highlights the importance that the PDPC places on periodic security reviews. 
Name of Decision / Undertaking Summary of Incident

Type of Potential Breach of the PDPA

Complaint / Self-reported

Number of affected individuals; Types of personal data affected Outcome
Cortina Watch Pte. Ltd.

Personal Data Breach

Cortina Watch was subjected to a ransomware attack on its server. The personal data of 3,953 individuals was accessed and exfiltrated. Cortina Watch had experienced multiple brute force attacks before the successful attack to its test Virtual Private Network (VPN) accounts by the threat actor, thereby allowing the threat actor access to exfiltrate 5.82 GB of data and encrypt other files on the servers.

Protection Obligation

Cortina Watch had failed to

  • Implement reasonable access controls to its network through its “test” VPN user accounts.
Enforce a robust password policy.
Self-reported

3,953 individuals affected

Personal Data affected:

  • Full Name
  • Contact number
  • Address
  • Email
  • Date of Birth
  • NRIC/ Passport Number
  • Bank Account Number
  • Any other details
Compliance directions given in lieu of financial penalty
Horizon Fast Ferry Pte. Ltd.

Personal Data Breach

There was an unauthorised access and exfiltration of the personal data of individuals who booked tickets on Horizon Fast Ferry’s website from its server. The incident occurred because valid credentials to its Ubuntu operating system root account, which is akin to a super-user account, had been misused to gain unauthorised access to the personal data in the Organisation’s possession and/or control.

Protection Obligation  

Horizon Fast Ferry had failed to:

  • Ensure the proper management of their IT Support Vendor by having written policies and procedures for vendor management;
  • Implement an Information and Communications Technology policy that covers the critical aspects of IT security; and
  • Ensure that security solutions were implemented for its web server.
Self-reported

108,488 individuals affected

Personal data affected included individuals’ name, passport number, date of birth, passport issue and expiry date, nationality, email address (if provided) and telephone number (if provided). 

Fine of SGD28,000
PPLingo Pte. Ltd.

Personal Data Breach

The threat actor had obtained the password of an administrator account of the Organisation’s operations support system (“OPS system”) via brute force attacks. The password of the account was “lingoace123”. The threat actor created several new accounts with administrator privileges to the OPS system to access the personal data of the Users.

Protection Obligation

PPLingo had failed to implement an adequate security arrangement to safeguard the personal data contained in the OPS System. 

  • Failure to provide for a fixed period of password validity or require regular change of passwords
  • Failure to require adequate level of password complexity
  • Failure to implement a password policy requiring two-factor or multi-factor authentication

Accountability Obligation

PPLingo had failed to appoint a DPO to be responsible for ensuring that the Organisation complies with the PDPA.
Self-reported

557,144 individuals affected

  • 303,238 students whose personal data included name, date of birth, gender, avatar link (including photos, where provided), native language, learning experience & skills
  • 244,021 parents whose personal data included name, username, mobile phone number, email address, nationality, country & region, residing country, avatar link (including photos, where provided), Whatsapp/Wechat ID, account class credit balance, address
  • 9,395 teachers whose personal data included Name, username, mobile phone number, email address, nationality, gender, photo (where provided), country of residence, date of birth, teacher ID, salary, bank name and account number, signature, Chinese resident identity card number, labour agreement or independent contractor agreement, Whatsapp/Wechat ID, educational background
  • 490 staff whose personal data included Name, username, mobile phone number, email address, Wechat ID
Fine of SGD74,000
Protemps Employment Services Pte Ltd

Personal Data Breach

Protemps Employment Services’ website had suffered a ransomware attack. Its website contained vulnerabilities, which allowed the threat actor(s) to access the website infrastructure and exfiltrate the personal data of the affected individuals.

Protection Obligation

The PDPC found the Protemps Employment Services to be wanting in its cybersecurity and data protection practices. First, Protemps Employment Services did not carry out any periodic security reviews with vulnerability scans to test its website vulnerability prior to the Incident. Second, there were deficiencies in vendor management for security maintenance, as data protection and job specifications were not clearly defined. Finally, Protemps Employment Services lacked proper documentation for password policies, patch management policies or change management policies.

Having considered the circumstances of the case and the lack of knowledge by Protemps Employment Services in cybersecurity and data protection practices, the PDPC accepted a voluntary undertaking.
Self-reported

19,361 affected individuals.

Personal data exfiltrated included their names, residential addresses, NRIC images, nationality, date of birth, phone numbers, email addresses, passport number, race, religion, highest qualification, last salary and CVs.
Voluntary Undertaking; no admission of breach of the PDPA
C M R (Far East) Pte Ltd

Personal Data Breach

The malicious actor had encrypted C M R (Far East)’s files containing the personal data of 57 individuals who were C M R (Far East)’s current or ex-employees.

Protection Obligation

The exact cause of the breach could not be determined.

CMR had taken prompt remedial actions including moving to a cloud-based system with secure back up.

The PDPC accepted a voluntary undertaking from C M R (Far East) to improve its compliance with PDPA, after considering the circumstance of the case and CMR’ prompt remedial actions.
     
Focus Adventure Pte Ltd

Personal Data Breach

Focus Adventure suffered a ransomware attack on its company servers. The files in the server were exfiltrated by the threat actor(s). The personal data of 923 individuals (former and current employees) were encrypted and exfiltrated.

Protection Obligation

Focus Adventure was found to be lacklustre in its cybersecurity and data protection practices, including the usage of end of life software for its servers and for failing to carry out any periodic security reviews of its unpatched servers. In addition, there was no proper documentation for password policies, patch management policies or change management policies.

Having considered the circumstances of the case and the lack of knowledge by Focus Adventure in cybersecurity and data protection practices, the PDPC accepted a voluntary undertaking from Focus Adventure to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.
Complaint

923 individuals affected

Personal data included:

  • Names
  • NRIC numbers
  • Date of birth
  • Phone numbers
  • Email addresse
  • Bank account details
Voluntary Undertaking; no admission of breach of the PDPA
J Rental Centre Pte Ltd

Personal Data Breach

J Rental Centre had engaged an overseas vendor to design its website. Although J Rental Centre had envisaged that the website would store and process personal data, J Rental Centre admitted that it did not conduct any security testing on the website prior to its launch. The complainant was able to view the identification documents of other individuals by sequentially changing the numerical digits of a link from J Rental Centre’s website.

Protection Obligation

The PDPC found J Rental Centre lacklustre in its cybersecurity and data protection practices, as J Rental Centre should have but failed to test its website for security vulnerabilities prior to its launch or at regular intervals thereafter.

Some considerations PDPC took included the circumstances of the case, the prompt remedial action by J Rental Centre and the lack of knowledge by J Rental Centre in cybersecurity and data protection practices. Overall, the PDPC accepted a voluntary undertaking from J Rental Centre to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.
Complaint

Approximately 300 individuals were affected

Personal data put at risk of unauthorised access and disclosure included NRICs, Student identification cards and bills.

Voluntary Undertaking; no admission of breach of the PDPA
Ticketmaster – Singapore Pte Ltd

Personal Data Breach

The PDPC was alerted that users trying to buy tickets to an event on Ticketmaster – Singapore’s website were able to access and view another user’s Ticketmaster account.

Protection Obligation

Ticketmaster – Singapore had failed to configure its content distribution network software correctly when it upgraded its software. The users’ personal data was stored as shared cache objects based on the users’ IP address. This led to a user’s personal data being shown to another user if these users had been assigned to the same IP address when using Ticketmaster – Singapore’s website.

The PDPC also found that Ticketmaster – Singapore did not detect the misconfiguration as it conducted limited testing after the software upgrade.

Taking into account Ticketmaster – Singapore's immediate remedial actions, the circumstances of the case, the comprehensive remediation plan, the number of affected individuals, types of personal data involved and the impact of the incident, the PDPC accepted the voluntary undertaking to improve its compliance with PDPA.
Complaint

Approximately 400 affected individuals

Personal data disclosed to other users included names, phone numbers, email addresses and order information. 

Voluntary Undertaking; no admission of breach of the PDPA
Methodist Welfare Services

Personal Data Breach

The servers belonging to its Bethany Nursing Home Choa Chu Kang was encrypted by a ransomware.

Protection Obligation

The cause of the ransomware attack could not be established as Methodist Welfare Services had reformatted its servers to restore its business operations as soon as possible.

The PDPC found Methodist Welfare Services to be lacklustre in its cybersecurity and data protection practices as it did not have relevant processes on IT security and did not provide any training for its employees on cybersecurity and data protection issues.
Self-reported

Approximately 500 individuals affected

Personal data included:

  • Names
  • Addresses
  • NRIC numbers
  • Date of birth
  • Phone numbers
  • Email addresses
  • Vaccination records

Voluntary Undertaking; no admission of breach of the PDPA

To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:


[1] The author would like to thank legal intern Tian Xinhe for her assistance with this article.

Fin

Restez au fait des nouvelles de Clyde & Cie

Inscrivez-vous pour recevoir de nos nouvelles par courriel (en anglais) directement dans votre boîte de réception!