_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,120,120,1,952,Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA.,"[""Accountability"", ""Directions""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf,Accountability,Breach of the Accountability Obligation by Saturday Club,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4109 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Saturday Club Pte Ltd SUMMARY OF THE DECISION 1. Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd (the “Organisation”) had not developed any internal policies and practices that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to issue the directions to the Organisation. ",Directions,d047195a60d37294c9b55687dc7b54978590b389,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,121,121,1,952,"A financial penalty of $8,000 was imposed on Honestbee for failing to put in place reasonable security arrangements to protect the personal data of individuals. The data of about 8,000 individuals was stored in the cloud without access restrictions.","[""Protection"", ""Financial Penalty"", ""Wholesale and Retail Trade""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Honestbee.pdf,Protection,Breach of the Protection Obligation by Honestbee,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-honestbee,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1905-B3827 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Honestbee Pte Ltd SUMMARY OF THE DECISION 1. Honestbee Pte Ltd (the “Organisation”) is an online food and grocery delivery service. Third party merchants, which either engaged or were planning to engage the Organisation for delivery services, provided it with personal data of their customers in order to test its logistics service delivery platform. The Organisation stored this personal data in its Amazon Web Services (“AWS”) file repository. The personal data (the “Personal Data”) included names, email addresses, residential addresses and mobile numbers. 2. The Personal Data Protection Commission (the “Commission”) was informed on 2 May 2019 that the Personal Data was accessible to the public. The number of individuals whose personal data was accessible was about 8,000. The Organisation admitted that it had mistakenly placed the Personal Data in a ‘bucket’ (which is similar to a file folder) without access restrictions. This allowed anyone with knowledge of AWS’s command line to gain access to the Personal Data. 3. The Commission found that the Organisation omitted to put in place the most rudimentary security measures necessary to protect the Personal Data. For example, the Organisation could have implemented a requirement to conduct checks to confirm that any personal data used in testing was stored in a ‘bucket’ with the appropriate access restrictions. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the Personal Data and is therefore in breach of section 24 of the Personal Data Protection Act 2012. 4. The Organisation has since blocked public access to the Personal Data by modifying the relevant access settings and circulated a report to its engineering team to ensure that similar mistakes would not be repeated in code reviews. The Organisation is also in discussions with cybersecurity companies to perform regular security audits on its systems. 5. The Organisation is directed to pay a financial penalty of $8,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. In view of the remedial measures taken by the Organisation, the Commission has not imposed any other directions. 6. The Organisation’s prompt co-operation in the course of the Commission’s investigation, its prompt actions taken to remediate the breach and the limited unauthorized disclosure of the Personal Data were mitigating factors taken into consideration in determining the quantum of the financial penalty. ",Financial Penalty,e5c308da0f082ff90e6a4873039b1d55f4c3f94f,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,122,122,1,952,"Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training.","[""Protection"", ""Accountability"", ""Directions""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Global Outsource Solutions,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1809-B2767 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Global Outsource Solutions Pte. Ltd. SUMMARY OF THE DECISION 1. Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for products purchased by its clients’ customers. To be eligible for this warranty, customers registered their purchases with the Organisation via the Organisation’s website at http://www.globaloutsourceasia.com (the “Website”). The Organisation collected various personal data from such customers for this purpose, including personal information such as their name, email address, mailing address and contact number, and details of the customers’ purchases such as the name of the product purchased, the purchase date, the name of the retailer and the location of the physical store where the product was purchased (collectively, the “Personal Data”). 2. The Personal Data Protection Commission (“the Commission”) received a complaint on 23 September 2018 that the complainant could access the Personal Data of another individual when viewing a warranty registration summary page on the Website (the “Incident”). 3. The Organisation admitted to the occurrence of the Incident but was unable to identify the cause of the Incident. The Commission found that the Organisation had not provided any security requirements to the vendor it had engaged sometime in 2013 to develop the Website. Consequently, it had not reviewed the Website’s security arrangements or conducted any security testing on the Website. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the personal data collected by the Website (including but not limited to the Personal Data disclosed in the Incident) and is therefore in breach of section 24 of the PDPA. 4. The Commission also found that the Organisation did not have any internal data protection policies for its employees in relation to the handling of personal data for the purposes of registering products through the Website. This failure to develop and implement such internal data protection policies is a breach of section 12 of the PDPA. 5. The Organisation has since removed the warranty registration section on its website and is in the process of revamping its Website to incorporate the necessary security arrangements. The Organisation is directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through data protection training. ",Directions,ab0971aeb10525bfdeea3bf683966ddd8fc40f11,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,123,123,1,952,"Directions, including a financial penalty of $8,000, were imposed on Chizzle for failing to put in place reasonable security arrangements to protect the personal data of users of its mobile application in Re Chizzle Pte Ltd [2019] SGPDPC 44. The organisation was also directed to develop an IT security policy, review and revise its developmental processes in order to adopt a data protection by design approach for future enhancements to its mobile application. An application for reconsideration was filed against the decision in Re Chizzle Pte Ltd [2019] SGPDPC 44. Upon review and careful consideration of the application, the Commissioner has decided to affirm the finding of breach of section 24 of the PDPA as set out in the decision and the direction, in the Reconsideration Decision.","[""Protection"", ""Directions"", ""Financial Penalty""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Chizzle-Pte-Ltd.pdf,Protection,Breach of the Protection Obligation by Chizzle,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-chizzle,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 44 Case No. DP-1807-B2495 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chizzle Pte. Ltd. … Organisation DECISION Chizzle Pte. Ltd. [2019] SGPDPC 44 Tan Kiat How, Commissioner — Case No. DP-1807-B2495 26 November 2019 Introduction 1 Chizzle Pte. Ltd. (the “Organisation”) provides a mobile application (the “Mobile App”) designed to connect learners and teachers in Singapore, Australia and India. On 31 July 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) of a cyberattack (the “Incident”) which had compromised the personal data of about 2,213 users of the Mobile App, including some users in Singapore (the “Affected Individuals”). Material Facts 2 On 30 July 2018, the Organisation noticed that the Mobile App had stopped responding. It was found that an unauthorised party had deleted its database containing the personal data of the Affected Individuals (the “Chizzle Database”) and left a ransom demand in text. The personal data in question included the names, dates of birth, genders, email addresses and some mobile numbers and residential addresses of the Affected Individuals (the “Compromised 2 Chizzle Pte Ltd [2019] SGPDPC 44 Personal Data”). Before this, on 9 July 2018, the Organisation had changed the Chizzle Database from Amazon’s Relational Database Service to the MySQL relational database. 3 Since 2016, the Organisation had a “L.A.M.P.” stack (i.e. Linux operating system, Apache HTTP server, MySQL server and PHP) (collectively with the Mobile App, the “System”) as part of its IT infrastructure. “phpMyAdmin”, a MySQL database administration tool, was installed with the L.AM.P stack. The tool was configured to allow remote access to it from the Internet. The Organisation believed that the unauthorised party gained entry into the Chizzle Database through the phpMyAdmin tool by a brute force attack. However, it did not have the logs to prove that a brute force attack had taken place. Regardless, the unauthorised party gained entry to the Chizzle Database through the phpMyAdmin tool. This gave the unauthorised party full control, including reading, writing and deleting data. Remedial actions by the Organisation 4 Following the Incident, the Organisation has taken measures to prevent unauthorised access to the Chizzle Database in the future, including the following: (a) IP address access via phpMyAdmin (i.e. use of IP address to find and reach the Chizzle Database) was turned off and the phpMyAdmin tool was uninstalled; (b) The IP address of the Organisation’s servers, including the Chizzle Database server, were changed; and 3 Chizzle Pte Ltd (c) [2019] SGPDPC 44 The Mobile App and Chizzle Database were moved to new hardware in case any residual malware or Trojans remained in the old hardware. Findings and Basis for Determination Whether the Organisation had breached its obligation to protect personal data under section 24 of the Personal Data Protection Act 2012 (“PDPA”) 5 Section 24 of the PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 6 The Organisation had failed to conduct any security review of its System although past decisions by the Commission had made clear the need for such reviews (see e.g. WTS Automotive Services Pte Ltd. [2018] SGPDPC 26, Bud Cosmetics [2019] SGPDPC 1 and Watami Food Service Singapore Pte Ltd [2018] SGPDPC 12). 7 The Organisation claimed that it was not even aware that the phpMyAdmin tool was part of its System. It also claimed it had no need of the tool. A reasonable security review would have included a review of all web-connected features of the System. Through such a review, the Organisation would have found the phpMyAdmin tool and could have decided whether to remove or keep it. If the Organisation had decided to retain the tool, the review would have given opportunity for the Organisation to review its security against web-based threats. 4 Chizzle Pte Ltd 8 [2019] SGPDPC 44 However, as found above, the Organisation failed to conduct a security review. It therefore missed the opportunity to determine its need for the phpMyAdmin tool and to address the security requirements of the tool, if retained. A security review would have been the arrangement through which the Organisation could reasonably have prevented the unauthorised entry into the Chizzle Database through the tool. 9 On the facts above, the Commissioner found that the Organisation had not made reasonable security arrangements to protect the Compromised Personal Data and was accordingly in breach of section 24 of the PDPA. The Organisation’s Representations 10 After the preliminary decision was issued, the Organisation submitted representations requesting for a reduction to the quantum of financial penalty. In support of its assertion that the proposed penalty was “more than likely to push [it] to a brink of closing the business”, the Organisation submitted copies of its financial statements and bank account statements. The Organisation did not disagree with, or make any representations relating to, the Commissioner’s findings that it had breached section 24 of the PDPA. 11 In general, financial penalties imposed under the PDPA reflect the seriousness of the breach and do not take into account the financial position of the organisation in question. However, a financial penalty is not meant to impose a crushing burden on the organisation and cause undue hardship: Re Sharon Assya Qadriyah Tang [2018] SGPDPC 1 at [34]. In the present case, the financial standing that was gleaned from the submitted financial statements 5 Chizzle Pte Ltd [2019] SGPDPC 44 and bank account statements was dire. In order to avoid imposing a crushing burden on the Organisation, the Commissioner has decided to reduce the financial penalty. For this reason, the financial penalty imposed in this case should not be taken as establishing a precedent for future cases. 12 In order to ensure that the Mobile App is robust and secure, the Organisation should adopt a data protection by design approach. While the optimal approach is to do so from the commencement of every developmental project, it is nevertheless still possible to do so during the maintenance phase, whenever there are enhancements: Data Protection by Design Guide, at p 35. The Organisation is directed to review its developmental processes in order to adopt a data protection by design approach for future enhancements to the Mobile App. Making changes to its practices will help the Organisation scale its Mobile App for future growth, and will pay longer term dividends than a hefty financial penalty. The Commissioner’s Directions 13 In view of the above findings, the Commissioner decided to direct the Organisation to pay a financial penalty of $8,000 within 30 days from the date of this direction, failing which, interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 14 In addition, the Commissioner decided to issue the following directions to the Organisation to ensure its compliance with the PDPA: 6 Chizzle Pte Ltd (a) [2019] SGPDPC 44 Engage duly qualified personnel to conduct a security audit of its mobile application and accompanying IT system; (b) Furnish a schedule stating the scope of risks to be assessed and the time within which a full report of the audit can be provided to the Commission within 30 days of this direction; (c) Rectify security gaps identified in the security audit; (d) Develop an IT security policy to guide its employees on the security of personal data on its mobile applications and accompanying IT systems within 60 days from the date of completion of the above-mentioned security audit; (e) Within 120 days of this decision, review and revise its developmental processes in order to adopt a data protection by design approach for future enhancements to its mobile application; and (f) Inform the Commission in writing of the completion of each of the above directions within 1 week of completion. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSSIONER FOR PERSONAL DATA PROTECTION 7 ","Directions, Financial Penalty",d2f01a3d69daa429f27a8ad071d760e7006d4489,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,124,124,1,952,"A financial penalty of $12,000 was imposed on The Travel Corporation (2011) for breaches of the PDPA. The Organisation failed to appoint a data protection officer and did not put in place reasonable security arrangements to protect its customers’ personal data stored in portable storage devices.","[""Protection"", ""Accountability"", ""Financial Penalty""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---The-Travel-Corporation-2011-Pte-Ltd.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by The Travel Corporation (2011),https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-the-travel-corporation-(2011),2019-12-05,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 42 Case No. DP-1810-B2821 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Travel Corporation (2011) Pte. Ltd. … Organisation DECISION The Travel Corporation (2011) Pte. Ltd. [2019] SGPDPC 42 Tan Kiat How, Commissioner — Case No. DP-1810-B2821 19 November 2019 Introduction and Material Facts 1 The Travel Corporation (2011) Pte. Ltd. (the “Organisation”) offers travel packages both directly to Singapore customers and via third party travel agencies. On 1 October 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) regarding the loss of a portable hard disk (the “Hard Disk”) which contained unencrypted files with the personal data of the Organisation’s customers, employees and suppliers (the “Incident”). The facts and circumstances of the Incident are as follows. 2 On 25 July 2018, a new employee of the Organisation left the office with her laptop and the Hard Disk; and misplaced both these devices on her way home. She initially only informed the Organisation about the loss of the laptop and a police report was made on 31 July 2018. The misplaced laptop did not contain any personal data. She eventually informed the Organisation about the loss of the Hard Disk on 21 September 2018 and the Organisation made another police report that day. 2 3 The table below summarises the number of affected individuals and their corresponding types of personal data contained in the Hard Disk: S/N. Category Types of Personal Data in the Hard Disk 1. Name, Email Address, Phone Number, Date of Birth and Postal Address Customers Number of Individuals Affected 5,437 2. Same as item 1 plus Passport Number 21 3. Same as item 1 plus NRIC Number 242 4. Prospective Customers Same as item 1 11,000 5. Employees Name, Office Email Address and Office Phone Number 30 6. Suppliers Names, Company Address, Email Address, Mobile Number, Office Number 1,900 Total number of individuals 18,630 4 It also emerged in the course of the Commission’s investigations that the Organisation had not appointed any data protection officer (“DPO”) prior to the data breach incident on 25 July 2018. Remedial actions by the Organisation 5 The Organisation subsequently took the following remedial measures: 1 (a) The Organisation ceased the use of portable storage devices and implemented the use of cloud-based storage for personal data in its possession; and (b) The Organisation appointed a DPO on 22 October 2018. Findings and Basis for Determination Whether the Organisation had breached its obligation to protect personal data under section 24 of the PDPA 6 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements. A review of the evidence disclosed that business contact information of the Organisation’s own employees and its suppliers comprised about 10% of the total number of affected individuals. Pursuant to 4(5) of the PDPA, section 24 of the PDPA did not apply to such personal data. However, the personal data of the Organisation’s customers and prospective customers (the “Customers’ Personal Data”) have to be protected under the PDPA. 7 The Organisation failed to protect its Customers’ Personal Data as it failed to implement appropriate internal policies governing the use of portable storage devices containing personal data. While the Organisation has a Portable Computer and Storage Devices Policy that stipulated that ‘portable computing and storage devices used for business purposes must have designated custodians’, the Organisation did not have any operational frameworks or procedures in place that effectively implements this policy in its individual business units. The Organisation only relied on verbal instructions to instruct its employees not to bring any 2 portable storage devices out from the office premises. Further, the Organisation did not implement any password protection policies or data encryption policies for its portable storage devices, including the Hard Disk, although it had clear guidelines in its Acceptable User Policy and Information Sensitivity Policy to do so. 8 In the circumstances, the Commissioner found that the Organisation had not made reasonable security arrangements to protect its Customers Personal Data. The Organisation is accordingly in breach of section 24 of the PDPA. Whether the Organisation was in breach of section 11(3) of the PDPA 9 Section 11(3) of the PDPA requires organisations to designate one or more individuals (typically referred to as a DPO) to be responsible for ensuring that they comply with the PDPA. Appointing a DPO is important in ensuring the proper implementation of an organisation’s data protections policies and practices, as well as compliance with the PDPA: see e.g. Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37]. 10 As the Organisation failed to appoint a DPO prior to the data breach incident, the Commissioner found the Organisation in breach of section 11(3) of the PDPA. The Commissioner’s Directions 11 In view of the above findings, the Commissioner directs the Organisation to pay a financial penalty of $12,000 within 30 days from the date of this direction, failing which, interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and 3 be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 12 In coming to this finding, the following mitigating factors were taken into account: (a) the Organisation notified the Commission of the Incident and fully co-operated with the Commission’s investigations; (b) the Organisation promptly implemented remedial measures, as set out at paragraph 5, to address the breach; (c) the Organisation is actively addressing system security related recommendations provided by an external auditor; and (d) 13 the Commission had not received any complaints as a result of the Incident. In view of the remedial measures taken by the Organisation, the Commissioner decided not to impose any other directions. The Organisation’s Representations 14 After the preliminary decision was issued to the Organisation, it made representations for a warning be issued instead of an imposition of a financial penalty. The Organisation did not dispute the finding that it had breached section 24 of the PDPA. 4 15 In support of its request for a warning instead of the imposition of a financial penalty, the Organisation represented that it had taken the following rectification and remediation measures: (a) conducting a PDPA impact and gap analysis; (b) developing and enhancing internal PDPA policies and procedures; (c) improving current back-up systems and disaster recovery plans across the business promptly following the Incident; (d) notifying the affected individuals as soon as possible after the Incident; (e) filing a police report in case of potential misuse, ransom and/or other criminal activity; 16 (f) arranging for PDPA training for employees; (g) publishing a privacy notice / statement on its website; and (h) demonstrating proper coordination and practices in place; and (i) appointing a DPO. The majority of the matters raised in mitigation are essentially remediation measures following from the gap analysis that the Organisation had performed. Due consideration had already been given to the prompt action that the Organisation took when the quantum of financial penalty was initially determined. None of the measures warrants an adjustment to the 5 quantum of the financial penalty. Hence, the Organisation did not provide sufficient justification for the financial penalty to be replaced with a warning. 17 In its representations, the Organisation had provided an explanation for its failure to appoint a DPO. It had sent 2 employees to attend a data protection certification course. The Organisation explained that it did not appoint a DPO at the material time as its employees who attended the Certified Information Privacy Manager (“CIPM”) course had failed to pass the CIPM exams despite multiple attempts and the Organisation was under the impression that they could not be appointed as DPOs without passing the relevant exams. 18 This misapprehension conflates the obligation to appoint a DPO and what is a reasonable way to go about it. The obligation for organisations to designate a DPO to ensure compliance with the PDPA under section 11(3) of the PDPA is a mandatory requirement under law. In the ideal case, the person appointed would be qualified to perform the role and undertake the responsibilities of a DPO at the time of appointment. The PDPA does not specify what these qualifications are. Furthermore, the pool of qualified DPOs, while growing, is small. There will be many instances where organisations will not be able to identify a member of staff or management who is already qualified. It is, therefore, perfectly acceptable to appoint a DPO and then send her for the necessary courses. In these situations, the Organisation should monitor 6 the DPO’s progress to ensure that there is no tardiness in completing the courses and achieving the requisite qualification. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 7 ",Financial Penalty,673e8e9d7c2079f8018401c7ea6189c7ee37e666,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,125,125,1,952,"A financial penalty of $6,000 was imposed on i-vic International (i-vic) for failing to put in place reasonable security arrangements to protect the personal data of individuals which it had processed on another organisation’s behalf. i-vic as the data intermediary did not put in place diligent and properly scoped testing of software which led to the disclosure of personal data of individuals via email.","[""Protection"", ""Financial Penalty"", ""Employment""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---i-vic-International.pdf,Protection,Breach of the Protection Obligation by i-vic International,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-i-vic-international,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 41 Case No. DP-1804-B1991 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And i-vic International Pte. Ltd. … Organisation DECISION i-vic International Pte. Ltd. [2019] SGPDPC 41 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1804-B1991 12 November 2019. Introduction 1 The Employment and Employability Institute Ltd (“e2i”) administers a work trial programme on behalf of a public agency, Workforce Singapore (“WSG”). e2i engaged i-vic International Pte Ltd (the “Organisation”) to process claims and queries from members of the public relating to the work trial programme (the “Engagement”). 2 On 16 April 2018, e2i reported to the Personal Data Protection Commission (the “Commission”) that documents containing personal data of three individuals (the “Affected Individuals”) involved in the work trial programme were inadvertently attached to emails sent out by the Organisation to 9 individuals (the “Incident”). Material Facts 3 As part of the Engagement, the Organisation was required to manage e2i’s mailbox which received emails from members of the public with their claims and queries. It was also required to develop and/or maintain the IT infrastructure and customer relationship management (“CRM”) software (collectively, the “System”) used to operate and manage e2i’s mailbox. As part of this, the Organisation was required to either reply to the emails from members of the public (providing the appropriate responses) or escalate the queries in the emails to the relevant e2i representatives. Where an email query needed to be escalated, an employee of the Organisation would submit an escalation request in the System. The System would then automatically generate two emails for the Organisation’s employee to send (the “Automated Email Generation Process”). The first was a holding reply email to the person who had sent the email query to e2i’s mailbox and the second was an email to escalate the query to the relevant e2i representative. For the second email, the System would automatically retrieve the relevant documents that were stored in the Organisation’s servers and attach them to the email. 4 On the 1st of every month, the Organisation ran a batch process on the System, after normal working hours, to generate reward programme emails for an another client (the “Reward Programme Process”). While this was being done, the Automated Email Generation Process was unable to run any instructions to generate and send emails. During this time, any instructions by the Organisation’s employees to generate emails with respect to the Engagement would be queued and the Automated Email Generation Process would process these instructions as a batch once the Reward Programme Process had been completed. 5 On 1 April 2019, while the Reward Programme Process was being run, one of the Organisation’s employees attempted to generate some new emails using the Automated Email Generation Process. These instructions to generate the relevant emails were queued, to be acted upon only after the Reward Program Process was completed. However, due to an error in the Automated Email Generation Process code for processing emails as a batch, the System attached the wrong documents containing personal data of the Affected Individuals to the emails in the queue and sent these out to 9 different individuals. 6 The documents that were sent to the 9 individuals contained the names, NRIC numbers, signatures, residential addresses, mobile numbers, email addressed, age and race of all three Affected Individuals, the bank account number of two of the Affected Individuals and the highest academic qualifications, work trial company details and work experience details of one of the Affected Individuals (collectively referred to as the “Disclosed Personal Data”). Remedial actions by the Organisation 7 After becoming aware of the Incident, the Organisation took the following remedial action to prevent it from reoccurring: (a) Fixed the error in the code of the Backlog Clearing Process which caused the Incident; and (b) Rewrote the relevant code to enable automated encryption of attachments (so that unauthorised recipients would not be able to view the contents of the attachments) and to ensure that the wrong files would not be attached to emails. Findings and Basis for Determination 8 Section 24 of the PDPA provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). 9 As a preliminary point, it is noted that e2i was acting on behalf of WSG in relation to the collection, use and disclosure of personal data for administration of the work trial programme. As such, pursuant to section 4(1)(c) of the PDPA, e2i was not subject to Part III to VI of the PDPA, including section 24, in relation to such collection, use and disclosure of personal data. 10 The Organisation was a data intermediary of e2i as it processed personal data on behalf of e2i for the purpose of the Engagement. The Organisation was thus required to protect personal data in its possession or under its control in accordance with section 24. 11 In relation to the cause of the Incident, the Organisation asserted that it had tested the code of the Automated Email Generation Process. However, the Organisation also admitted that it had not tested how the code acted when the Automated Email Generation Process processed instructions to generate and send emails which were queued while the Reward Programme Process was running. In this regard, the Organisation explained that they expected such emails to be processed and sent out individually and not queued while the Reward Programme Process was running. Nevertheless, as the Organisation ought to have known that the Automated Email Generation Process was unable to run while the Reward Programme Process was running on the 1st of every month, the Organisation ought to have tested whether this had an effect on the Automated Email Generation Process. Diligent and properly scoped testing would have simulated the circumstances leading to the Incident and would therefore likely have detected that documents containing personal data were being incorrectly attached to the emails in queue. 12 In the circumstances, the Organisation’s failure to put in place diligent and properly scoped testing amounted to a failure to put in place reasonable security arrangements to protect the personal data which was in its possession and/or under its control. I therefore find that the Organisation had contravened section 24 of the PDPA. The Deputy Commissioner’s Directions 13 In view of the above findings, I hereby direct the Organisation to pay a financial penalty of $6,000 within 30 days from the date of this direction, failing which, interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 14 I have decided not to issue any further directions as the Organisation has taken the actions set out at paragraph 7 above to remedy the cause of the Incident. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION ",Financial Penalty,e47bddcc5f36c79ec219edf1cb404ced43a0874d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,126,126,1,952,"A financial penalty of $60,000 was imposed on Learnaholic for failing to put in place reasonable measures to protect the personal data of students, students’ parents and staff of various schools.","[""Protection"", ""Financial Penalty"", ""Education""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Learnaholic.pdf,Protection,Breach of the Protection Obligation by Learnaholic,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-learnaholic,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 31 Case No DP-1703-B0567 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Learnaholic Pte. Ltd. … Organisation DECISION [This is a redacted version of the Decision which omits certain confidential details] Learnaholic Pte. Ltd. [2019] SGPDPC 31 Tan Kiat How, Commissioner — Case No DP-1703-B0567 26 August 2019. Background 1 The Organisation is an IT vendor that was providing attendance-taking and e-learning systems to schools pursuant to a contract with the Ministry of Education (“MOE”). The central issue to this case, in so far as it is related to the Personal Data Protection Act 2012 (“PDPA”), is whether the Organisation had made reasonable security arrangements to protect the personal data of approximately 47,802 students, students’ parents and staff of various schools that it had in its possession and control at the material time. Material Facts 2 The Organisation was responsible for the maintenance and installation of the attendance-taking system installed in [redacted] (“the School”). The School’s attendance-taking system was designed such that the attendance records would be updated each time a student “taps in” with his or her student pass at any one of the card readers located around the School. This attendancetaking system consisted of an attendance server (the “Attendance Server”) Learnaholic Pte. Ltd. [2019] SGPDPC 31 connected to clusters of attendance controllers linked to card readers. One such cluster was located at the guard post of the School (the “Guard Post Cluster”). 3 In or around March 2016, the School informed the Organisation of an intermittent problem with the Guard Post Cluster: students’ names were not being displayed despite them tapping in at the Guard Post Cluster. In order to investigate into the issues reported by the School, the Organisation decided to troubleshoot the problem remotely as this was more convenient than sending someone down to the School. In order to do so, it installed VNC Server, a remote desktop software, at the Guard Post Cluster. Using VNC Viewer to remotely connect to the VNC Server so that the Organisation would be able to troubleshoot the Guard Post Cluster without having to be physically present at the School (the “Remote Troubleshooting” method). 4 In addition to installing the VNC Server, the Organisation also took the following steps to facilitate its Remote Troubleshooting: (a) Modifying the configuration of the School’s Intranet firewall by opening a specific port (“Port”) to allow external access to the Guard Post Cluster from the internet via the VNC Viewer software. (b) Disabling the password for the VNC Server software installed at the Guard Post Cluster (i.e. no password was required to gain access to the Guard Post Cluster via the VNC Server software). While the Organisation claimed to have disabled the input feature at the client side when using the VNC Viewer program, this would have only affected the Organisation’s ability to make changes and would not have affected a hacker’s ability to do the same. If the Organisation had disabled the input feature at the server side, it would have been very unlikely that a hacker could have exploited the vulnerability in the Organisation’s system as 2 Learnaholic Pte. Ltd. [2019] SGPDPC 31 explained immediately below. The only other potential manner in which the hacker could have exploited the said vulnerability would have been where the Organisation opened all the ports to the system instead of just the VNC specific port. 5 The Organisation’s actions would come to have significant consequences. Prior to the opening of the Port, the Guard Post Cluster was only accessible internally from the School network. The opening of the Port was meant to be temporary for the purposes of the Remote Troubleshooting, but the Organisation’s Representative (the “Representative”) conducting the troubleshooting forgot to close the Port and restore the School’s original firewall configuration after the troubleshooting was completed. The disabling of the password for the VNC Server software meant that access to the Guard Post Cluster could be easily gained simply with knowledge of the Port number and the IP address of the Attendance Server. This combination of actions led to the creation of a vulnerability in the School’s Guard Post Cluster (the “Vulnerability”) – a vulnerability that would later be exploited by a hacker. 6 The Organisation took the view that the hacker exploited the Vulnerability to retrieve a configuration file stored on the Guard Post Cluster. The Commissioner believes that this is a logical explanation of how the hack occurred. This configuration file was supposed to be stored only on the School’s Attendance Server, but had inadvertently been copied to the Guard Post Cluster. This had occurred as the Organisation had stored the configuration file in a folder on the Attendance Server that also held firmware update files for the Guard Post Cluster (the “Update Folder”); the Update Folder would be periodically synced with the relevant components of the Guard Post Cluster in the School in order to “push down” firmware updates from the Attendance Server to these components at the Guard Post Cluster. A copy of the 3 Learnaholic Pte. Ltd. [2019] SGPDPC 31 configuration file was therefore copied to the Guard Post Cluster during one of the periodic firmware updates. 7 The purpose of the configuration file was to enable the School’s Attendance Server (using the Representative’s work email as a relay) to send attendance reports to the School’s staff. To facilitate this function, the configuration file contained the login credentials of the Representative’s work email. The hacker was thus able to obtain the login credentials from the copy of the configuration file retrieved from the Guard Post Cluster, and thereby gain access to the Representative’s work email account. The Representative’s work email account contained the unencrypted personal data of approximately 47,802 staff, students, and students’ parents of various schools (the “Personal Data”). The Personal Data exfiltrated by the hacker included information such as: (a) Names; (b) NRIC numbers; (c) Contact numbers; (d) Email addresses; (e) Addresses; and (f) Medical information, which relate to approximately 372 students. 8 The Personal Data was in the Representative’s email as the Organisation had assisted the schools to upload the data onto the respective schools’ attendance taking and/or e-learning systems. The Representative had received the Personal Data via email for the purposes of uploading, but had not deleted these emails after performing the upload as it was thought that it might be useful to retain the Personal Data for future reference. 4 Learnaholic Pte. Ltd. 9 [2019] SGPDPC 31 The breach of the School’s attendance taking system and the Representative’s work email, together with the resulting exfiltration of the Personal Data, were only discovered in February 2017 by the Singapore Police Force (“SPF”) in the course of investigating a separate hacking incident 1. The Personal Data Protection Commission (“PDPC”) was informed of the matter and thereafter commenced its own investigations. The Commissioner’s Findings and Basis for Determination The Relevant PDPA Provisions 10 In respect of this matter, the relevant provision is Section 24 of the PDPA. Section 24 requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). Preliminary Issues 11 It is not disputed that the Personal Data is “personal data” as defined in section 2(1) of the PDPA. There is no question or dispute that the Organisation falls within PDPA’s definition of an “organisation”. There is also no dispute that Personal Data was, at all material times, in the Organisation’s possession and that the Organisation was responsible for the Personal Data. 12 In the course of investigations, it was determined that the Organisation was at all material times an independent third party service provider to, and 1 This hacking incident, and the Singapore Police Force’s investigations, are not the subject of these Grounds of Decision. 5 Learnaholic Pte. Ltd. [2019] SGPDPC 31 therefore was not acting on behalf of, MOE or any of the various schools it provided IT services to. The Organisation also did not raise the applicability of section 4(1)(c) of the PDPA at any time. In the circumstances, section 4(1)(c) of the PDPA does not apply. 13 The key issue is therefore whether the Organisation had protected the Personal Data in its possession by making reasonable security arrangements to prevent unauthorised access and similar risks. The Organisation failed to make reasonable security arrangements 14 After a review of all the evidence obtained by PDPC during its investigation and for the reasons set out below, the Commissioner is of the view that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession, and has thereby breached the Protection Obligation under section 24 of the PDPA. This data breach incident occurred due to a series of lapses on the part of the Organisation, all of which could have been reasonably averted. 15 First, the Organisation opened a Port and reconfigured the School’s Intranet Firewall to allow remote access to the School’s Guard Post Cluster, while simultaneously disabling the password for remote access to the Guard Post Cluster, thereby creating the Vulnerability. In addition, the Representative conducting the Remote Troubleshooting forgot to close the Port, leaving the Vulnerability exposed from March 2016 until end-April 2016, when the Vulnerability was discovered because the Organisation was subsequently requested to troubleshoot the Guard Post Cluster again in or around April 2016. 6 Learnaholic Pte. Ltd. 16 [2019] SGPDPC 31 It bears noting that the Organisation did not inform the School that it had made changes to the configuration of the School’s Intranet firewall during the Remote Troubleshooting. The changes made to the configuration of the Intranet firewall in this matter was a clear security lapse borne from convenience; in attempting to get around the need to be physically present in the School, the Organisation undermined the security arrangements in place and allowed the hacker to obtain the configuration file. This was exacerbated by the Organisation’s failure to inform the School of these configuration changes. 17 Second, the configuration file (containing the login credentials of the Representative’s work email account) was supposed to be stored only in the School’s Attendance Server. As described at [6] above, this configuration file had been inadvertently copied to the Guard Post Cluster, where the Vulnerability existed as a point of entry for the hacker, which allowed the hacker to consequently gain access to the configuration file. 18 The hacker was thus able to obtain the login credentials of the work email account where the unencrypted Personal Data was stored. The Organisation has represented to PDPC that the email accounts and passwords contained in the configuration file were listed in a jumbled up or random manner, such that it would not have been apparent which email account corresponded with which password. Such an approach falls far below the level of sophistication which one would expect login credentials to be secured with. A relatively low degree brute-force attack (i.e. trial and error) would be all that was required to match an email account with its corresponding password. The Organisation failed to appreciate the consequences of placing the configuration file with the login credentials – a file that effectively contained the proverbial keys to the kingdom – in the Update Folder of the Attendance Server. Allowing a file that contained sensitive information such as login credentials to be copied 7 Learnaholic Pte. Ltd. [2019] SGPDPC 31 to each of the clusters represents a clear lapse in the Organisation’s security arrangements. The less-than secure manner in which the login credentials were stored and dealt with within their own system was an issue that the Organisation should and could have been reasonably alive to. 19 Third, the Personal Data was sent to and stored in the Representative’s work email account in an unencrypted form. The PDPC encourages the encryption of personal data that is sensitive or when sent in bulk. As this case demonstrated, personal data sent in bulk were stored in the clear in the Representative’s email account effectively giving the hacker free rein to access the information once access to the email account was obtained. The originator of the Personal Data shared some of the blame in failing to encrypt the file. But the risks would not have materialised had the Representative deleted the email containing the Personal Data once his task was completed (e.g. uploading of data). This he failed to do. He kept the email containing the Personal Data, just in case he needed it in the future. If there was a valid legal or business purpose for retaining a copy of the Personal Data for an extended period of time, it should not have been retained in the Representative’s work email account in an unencrypted format. The Organisation could have downloaded a copy of such data into a computer and encrypted the same if it needed to retain it (and thereafter deleting the originating email and attachment). This is a basic security arrangement that could have been reasonably expected of the Organisation. 20 The Organisation’s inadequate security measures were therefore directly responsible for the breach and exfiltration of the Personal Data. Any of the individual lapses on their own would have been a cause for concern; combined together, the lapses created the perfect opportunity for any opportunistic hacker armed with basic hacking tools to strike. 8 Learnaholic Pte. Ltd. 21 [2019] SGPDPC 31 Based on the foregoing, the Commissioner finds that the Organisation has breached the Protection Obligation under section 24 of the PDPA. The Commissioner’s Directions 22 Having found the Organisation to be in breach of section 24 of the PDPA, the Commissioner is empowered under Section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure compliance with the PDPA. 23 In determining the appropriate directions to be imposed on the Organisation, the Commissioner has taken into account the following aggravating factors: (a) In the course of its work with the schools and MOE, the Organisation was handling large volumes of personal data relating to minors, including sensitive personal data such as their medical information, family structure and NRIC numbers. The unauthorised disclosure of such data could potentially have caused significant harm. (b) The Vulnerability was left unattended for a period of more than a month during which other hackers could have easily obtained access to the Personal Data2. (c) 24 Actual data exfiltration had taken place. To its credit, the Organisation acted fairly swiftly to address the causes of the breach once they were made aware of the same, a response which carries 2 During the investigations, there had been some uncertainty as to the duration for which the Vulnerability was left uncorrected. This is further discussed at [27] below. 9 Learnaholic Pte. Ltd. [2019] SGPDPC 31 some mitigating value. The following remedial actions taken by the Organisation have therefore been taken into account: (a) Changed the passwords for all the Organisation’s work email accounts; (b) Activated Two Factor Authentication for all of the Organisation’s work email accounts after being informed of the data breach by SPF; (c) Deleted all emails with the Personal Data from the Organisation Representative’s work email account; (d) Deleted the configuration file from the Guard Post Cluster; (e) Implemented a new practice of having the Organisation’s representatives delete emails from their work email account once action has been taken in respect of the same; and (f) Put in place a script to ensure that the Update Folder of the Attendance Server only contains essential php files such as system codes, and that any non-essential files are automatically deleted prior to the syncing of the Update Folder with the other attendance clusters in the School. The Organisation’s Representations 25 The Organisation made representations to the PDPC, in particular to reduce the quantum of the financial penalty imposed, after the preliminary decision was issued to the Organisation. The Organisation’s representations are addressed as follows. 10 Learnaholic Pte. Ltd. 26 [2019] SGPDPC 31 First, the Organisation represented that the total number of individuals affected was 35,000 (and not 60,000 according to initial calculations), and that the total number of students whose medical data was accessed and exfiltrated was 372. PDPC has reviewed the evidence and determined that the number of unique individuals affected by the incident was 47,802. The Commissioner accepts that 372 individuals’ medical data was accessed. The financial penalty has, therefore, been adjusted to take into account the number of individuals whose medical data was accessed and exfiltrated and the reduction in the number of affected individuals. 27 Second, the Organisation represented that the Vulnerability had been discovered and fixed sometime at the end of April 2016 when the Organisation was requested to troubleshoot the Guard Post Cluster again (as described in [15]). The Organisation had previously indicated that they were unaware of the duration during which the Vulnerability was left uncorrected. In the circumstances, the financial penalty quantum was initially based on the Vulnerability having only been corrected on or about February 2017 when the Organisation was notified of the incident by SPF in the course of investigating a separate hacking incident. The Commissioner has given the Organisation the benefit of the doubt as to the period of time the Vulnerability existed and has adjusted the quantum of the financial penalty accordingly. 28 Third, the Organisation also represented that the medical information subject to unauthorised access relates to types of medical conditions3 which it 3 For instance, colour vision; whether the student was on regular medication; respiratory disorders; allergies; asthma; epilepsy; heart condition; ear disorder; hearing loss; periodic loss of consciousness; and modified exercise. 11 Learnaholic Pte. Ltd. [2019] SGPDPC 31 asserts are non-sensitive in nature. However, the medical data that was accessed was those of minors, ie less than 21 years of age. Medical data and personal data of minors is treated as being sensitive in nature4. For such sensitive personal data, organisations are required to take extra precautions and ensure higher standards of protection under the PDPA. 29 Fourth, the Organisation represented that it had requested the schools to upload personal data on their own, to limit any personal data sent to the Organisation to what is absolutely necessary, and if the schools were to send data via email, to password protect the data file attachments. However, the preferred practice of many of the schools was to send unencrypted personal data to the Organisation for it to be uploaded. To give the Organisation the benefit of doubt, even if it is accepted that the Organisation had informed the schools to password protect data file attachments sent by email, the evidence shows that this policy was not observed in practice. Merely having a policy is not a sufficient security arrangement particularly when this policy is observed only in its breach. 30 As a corollary to the above point, the Organisation also represented that “as a vendor and a small enterprise serving the educational institutions, [the Organisation was] understandably subservient to the decisions of their customers”. If the Organisation chooses to accede and upload the personal data that was sent to its email account, then it ought to have reviewed its policies and implemented different security arrangements to protect such personal data, e.g. by deleting file attachments containing personal data promptly. 4 See Advisory Guidelines on the Personal Data Protection Act for Selected Topics at [8.12] and Singapore Taekwondo Federation [2018] SGPDPC 17 at [22] to [27]. 12 Learnaholic Pte. Ltd. 31 [2019] SGPDPC 31 Fifth, the Organisation represented that its practices were to delete emails containing personal data when no longer required (e.g. after uploading onto the appropriate databases), and that the reason that the attacker was able to gain access to so many email attachments containing Personal Data is because he had access to the email account for 3 months. While this may be true, the Organisation previously admitted that emails containing Personal Data would still be required to address enquiries from schools, and thus, were retained in the Representative’s email account for months (and not immediately deleted after uploading). As stated in [19], the fact that the Personal Data was retained in such a manner facilitated the hacker’s access to the Personal Data; if the Organisation needed to keep the Personal Data for operational purposes, it should have properly secured it. 32 Sixth, the Organisation represented that the following should be taken into account as mitigating factors: (a) it was a victim of a cyberattack that had maliciously exploited the lapses on the part of the Organisation; (b) the Organisation tried their even best to secure personal data, but its lone efforts were insufficient without reciprocation from the schools; and (c) based on SPF’s investigations there was no evidence of further exploitation, use or disclosure of the Personal Data by the attacker. 33 With respect to [32(a)], it should be reiterated that being a cyberattack victim is not in itself a mitigating factor, especially in this case where the lapses of the Organisation, including the existence of the Vulnerability, were such that 13 Learnaholic Pte. Ltd. [2019] SGPDPC 31 the attacker would not require sophisticated means to obtain unauthorised access to the Personal Data. 34 Paragraph [32(b)] has been addressed above5. With respect to [32(c)], while there was actual exfiltration of the Personal Data in this case6, there was no evidence of further exploitation, use or disclosure of the Personal Data by the attacker. This has been taken into account in the revised financial penalty. 35 Finally, the Organisation also sought to compare the penalty imposed against it with that of previous cases7. However, the cases cited dealt with identification data while this case involved medical data of minors. The Commissioner is satisfied that the financial penalty imposed in this case is justified, in particular given the aggravating factors set out above at [23]. 36 Having considered all the relevant factors of the case, the Commissioner hereby directs the Organisation to pay a financial penalty of S$60,000.00 within 30 days from the date of the Commissioner’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 5 See [29] and [30]. 6 This has been taken into account as an aggravating factor, see [23(c)]. 7 Specifically, Re K Box Entertainment Group Pte Ltd [2016] SGPDPC 1, Re JP Pepperdine Group Pte Ltd [2017] SGPDPC 2, and Re Orchard Turn Developments Pte Ltd [2017] SGPDPC 12. 14 ",Financial Penalty,4688b3584b68394e1105d7f6245cbffdd9d23107,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"