_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,73,73,1,952,A warning was issued to Water + Plants Lab for failing to put in place reasonable security arrangements to protect the personal data of its employees. The incident resulted in the personal data being subjected to a ransomware attack.,"[""Protection"", ""Warning"", ""Scientific and Technical"", ""Ransomware"", ""No Security Arrangements"", ""No Patching""]",2020-12-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Water--Plants-Lab-Pte-Ltd--181120.pdf,Protection,Breach of the Protection Obligation by Water + Plants Lab,https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-protection-obligation-by-water--plants-lab,2020-12-18,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2004-B6182

In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Water + Plants Lab Pte. Ltd.

SUMMARY OF THE DECISION

1.

On 9 April 2020, Water + Plants Lab Pte. Ltd. (the “Organisation”) informed the
Personal Data Protection Commission of a ransomware infection that rendered the
Organisation’s server (the “Server”) inaccessible to the Organisation (the “Incident”).

2.

The Incident occurred on or around 30 March 2020. Personal data of 28 employees were
encrypted by the ransomware. The personal data affected included the employees’ name,
NRIC/FIN/Work Permit number, address, date of birth, mobile number and photograph.

3.

Investigations revealed that an employee from the Organisation had downloaded and
opened an email attachment that contained ransomware. At the time of the Incident, the
Organisation had some security measures in place, for example, it had anti-virus
protection, and access rights and password control for the Server. It also had a good
practice of performing regular backup of its Server, and most of the data was successfully

restored from an external backup. The Organisation therefore suffered minimal data loss
as a result of the Incident.

4.

However, as admitted by the Organisation, it had not carried out any patching and
security scanning of the Server in the 12 months preceding the Incident. Patching and
regular security scanning are important security measures to prevent vulnerabilities in an
organisation’s ICT systems which a hacker may exploit in compromising personal data.
For this reason, the Deputy Commissioner for Personal Data Protection found that the
Organisation had failed to protect the personal data in its possession or under its control,
in breach of section 24 of the Personal Data Protection Act 2012.

5.

Following the Incident, the Organisation installed a firewall with greater capabilities to
protect the Organisation against external threats, for example, possessing deeper content
inspection capabilities to identify malware. The Organisation had also conducted staff
training on personal data protection and on how to identify security threats.

6.

Upon consideration of the facts, including the impact from the breach, the remediation
action taken by the Organisation and that there was no evidence of exfiltration of the data
in the Server, the Deputy Commissioner issued a warning to the Organisation.

",Warning,eee08e16b63cd4fae6c7d3775b36bf12d04f634d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,74,74,1,952,A warning was issued to R.I.S.E Aerospace for failing to put in place reasonable security arrangements to protect the personal data of its employees from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack.,"[""Protection"", ""Warning"", ""Manufacturing"", ""Ransomware"", ""No Security Arrangements"", ""IT security policies""]",2020-12-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---RISE-Aerospace-Pte-Ltd---131120.pdf,Protection,Breach of the Protection Obligation by R.I.S.E Aerospace,https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-protection-obligation-by-rise-aerospace,2020-12-18,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2007-B6832
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
R.I.S.E Aerospace Pte. Ltd.

SUMMARY OF THE DECISION

1.

On 25 August 2020, R.I.S.E Aerospace Pte Ltd (the “Organisation”) notified

the

Personal Data Protection Commission (the “Commission”) of a ransomware infection
that had rendered its network storage server inaccessible to the Organisation (the
“Incident”).

2.

The Incident occurred on or about 23 August 2020. Personal data of 21 employees were
encrypted by the ransomware. The personal data encrypted included the name, address,
contact number, NRIC number, Work Permit details, passport details. redacted bank
account numbers, and child’s date of birth.

3.

Investigations revealed that the Organisation had not implemented adequate technical
security arrangements to protect the personal data in its possession or control, in
particular, the Organisation did not carry out any security scans or perform updates to
the server firmware despite being prompted to do so by the device manufacturer. In

addition, the Organisation did not put in place any documented form of IT Security
policies such as its password policy, policies for patching and updating of the company
server etc. These failings had resulted in a system that had vulnerabilities which a hacker
could exploit by injecting ransomware into the server.

4.

Following the Incident, the Organisation had since discontinued the use of its network
storage server and to opt for cloud storage instead. Additionally, the Organisation also
decided to encrypt all its sensitive data and only store them on offline devices.

5.

In the circumstances, the Deputy Commissioner for Personal Data Protection finds the
Organisation in breach of the Protection Obligation under section 24 of the Personal Data
Protection Act 2012 (the “PDPA”) and took into account the following factors in
deciding to issue a Warning to the Organisation.
a. The low number of affected individuals;
b. There was no evidence that the personal data affected in the Incident had been
misused in any form;
c. The Organisation had a backup copy of the encrypted personal data and did not lose
any personal data as a result of the Incident; and
d. The Organisation voluntary notified the Commission of the Incident.

6.

In view of the remedial actions taken by the Organisation, the Commission will not be
issuing any other directions.

",Warning,1400daa426845ef3c61fb74391afd631da480958,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,75,75,1,952,"A financial penalty of $8,000 was imposed on Hello Travel for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure.","[""Protection"", ""Financial Penalty"", ""Information and Communications"", ""Expedited"", ""Exploitation"", ""Vulnerability""]",2020-12-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Hello-Travel-Pte-Ltd---301020.pdf,Protection,Breach of Protection Obligation by Hello Travel,https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-protection-obligation-by-hello-travel,2020-12-18,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2004-B6189
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Hello Travel Pte. Ltd.

SUMMARY OF THE DECISION

1.

On 8 April 2020, the Personal Data Protection Commission (the “Commission”)
received information that a database belonging to Hello Travel Pte Ltd (the
“Organisation”) was posted on an internet forum and was thus made publicly available
(the “Incident”).

2.

The Organisation subsequently requested for this matter to be handled under the
Commission’s expedited breach decision procedure. In this regard, the Organisation
voluntarily provided and unequivocally admitted to the facts set out in this decision. It
also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the
“PDPA”).

3.

The compromised database contained the personal data of approximately 71,002 users
who had created accounts at the Organisation’s website (www.havehalalwilltravel.com)
from February 2015 to July 2018. The disclosed personal data included their name, email

address, date of birth, nationality and phone number. The table below summarises the
number of affected individuals for each corresponding type of personal data disclosed:
S/N

Type of Personal Data

Number of Individuals
Affected

4.

1

Name

71,002

2

Email Address

57,693

3

Phone Number

453

4

Date of Birth

946

5

Nationality

20,754

The Organisation’s internal investigations pointed to a possible hack as the cause of the
Incident. Sometime in year 2018, the server instance which hosted the Organisation’s
website and the database became corrupted and unusable after the installation of a free
open source wordpress plugin. The Organisation believed that unknown parties could
have exploited vulnerabilities of the installed plugin at that time and exfiltrated the
database.

5.

The Organisation admitted that it did not give due attention to personal data protection
and had neglected to put in place basic procedural and technical security arrangements
to protect the personal data in its possession and control. As examples, it did not have the
relevant policies and/or protocols in place to perform regular system patching or to
conduct security assessment and/or testing when making changes to its ICT systems.

6.

In the circumstances, the Deputy Commissioner for Personal Data Protection finds the
Organisation in breach of the Protection Obligation under section 24 of the Personal Data
Protection Act 2012 (the “PDPA”).

7.

Following the incident, the Organisation implemented technical measures to secure its
systems from potential vulnerabilities. The personal data of its members were also
encrypted immediately. Additionally, the Organisation had engaged relevant parties to
take down the compromised database and informed the affected individuals of the
Incident.

8.

In determining the directions, if any, to be imposed on the Organisation. The Deputy
Commissioner took into account the following factors:

Aggravating factors
(a) The high number of individuals affected;
(b) The fact that personal data was exfiltrated and posted online; and
(c) The Organisation did not put in place basic procedural and technical security
arrangements.

Mitigating factors
(a) The Organisation had cooperated with the investigation;
(b) The Organisation’s upfront voluntary admission of liability to a breach of the
Protection Obligation under the PDPA;

(c) The Organisation’s prompt remedial actions at [7] to address the inadequacies in
its procedures and processes; and
(d) There was no evidence that the personal data affected in the Incident had been
misused in any form.

9.

In the course of settling this decision, the Organisation made representation on the
amount of financial penalty which the Commission intends to impose and requested that
the financial penalty to be paid in instalments. The Organisation raised the following
factors for the Commission’s consideration:

(a) The Organisation had been suffering substantial loss due to the impact to the
travel industry by the Covid-19 pandemic; and
(b) The Organisation had already spent quite a substantial amount of money to fix
the security breach.

10.

Having carefully considered the representations, the Deputy Commissioner has decided
to reduce the financial penalty to the amount set out in [11a] and is agreeable for the
financial penalty to be payable in instalments. The quantum of financial penalty has been
calibrated after due consideration of the Organisation’s financial circumstances due to
the unprecedented challenges faced by businesses amid the current Covid-19 pandemic,
bearing in mind that financial penalties imposed should not be crushing or cause undue
hardship on organisations. Although a lower financial penalty has been imposed in this

case, the quantum of financial penalty should be treated as exceptional and should not be
taken as setting any precedent for future cases.

11.

Taking into account all relevant facts and circumstances, the Deputy Commissioner
hereby directs the Organisation to:

(a) Pay a financial penalty of $8,000 in 10 instalments by the due dates as set out
below, failing which, the full outstanding amount shall become due and payable
immediately and interest at the rate specified in the Rules of Court in respect of
judgment debts shall accrue and be payable on the outstanding amount of such
financial penalty until the financial penalty is paid in full:

i.

1st instalment of $800 on 1 January 2021;

ii.

2nd instalment of $800 on 1 February 2021;

iii.

3rd instalment of $800 on 1 March 2021;

iv.

4th instalment of $800 on 1 April 2021;

v.

5th instalment of $800 on 1 May 2021;

vi.

6th instalment of $800 on 1 June 2021;

vii.

7th instalment of $800 on 1 July 2021;

viii.

8th instalment of $800 on 1 August 2021;

ix.

9th instalment of $800 on 1 September 2021; and

x.

10th instalment of $800 on 1 October 2021

12.

In view of the remedial actions taken by the Organisation, the Deputy Commissioner will
not be issuing any other directions.

",Financial Penalty,4d881a08a671b9937b7e44b95f8f13e43eadd144,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,76,76,1,952,"Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Accountability"", ""Protection"", ""Directions"", ""Construction"", ""No Policy"", ""Ransomware""]",2020-12-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf,"Accountability, Protection","Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist",https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects,2020-12-18,"PERSONAL DATA PROTECTION COMMISSION

[2020] SGPDPC 20

Case No. DP-1908-B4369

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And
(1) Everlast Projects Pte Ltd
(2) Everlast Industries (S) Pte Ltd
(3) ELG Specialist Pte Ltd
… Organisations

DECISION

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

Everlast Projects Pte Ltd & Others
[2020] SGPDPC 20

Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369
30 October 2020

Introduction
1

On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the

Personal Data Protection Commission (“Commission”) that its server (“Server”) had
been hacked and all the files within it were encrypted by ransomware sometime in
August 2019 (the “Incident”).
Facts of the Case
2

EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd

(“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of
architectural metal works, glass and aluminium products. The Organisations are
owned by the same shareholder, managed by the same directors, and operate from
common premises. Two of the Organisations also have a common name, “Everlast”.
The Organisations operated like a group of companies and centralised their payroll
processing, such that the human resources (“HR”) department of EPPL was in charge
of processing payrolls of not only its own employees, but also the employees of EIPL
and ESPL. The Organisations’ employees’ personal data were stored in the Server,
which was owned and maintained by EPPL.
3

On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite

physical backup and a secondary cloud backup of the contents of the Server. The
physical backup was affected by the ransomware and rendered unusable. A total of
384 individuals were affected by the Incident (the “Affected Employees”):
2

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

Name of Organisation

Number of employees affected

EPPL

141

EIPL

239

ESPL

4

Total number of individuals

384

4

The types of personal data of the Affected Employees that were at risk of

unauthorised access included the following (collectively, the “Personal Data Sets”):
(a)

Name;

(b)

NRIC/FIN number;

(c)

Date of birth;

(d)

Bank account details; and

(e)

Information relating to salary.

5

The cause of the ransomware infection was not identified. EPPL’s

investigations could not determine how the ransomware gained entry to the Server.
EPPL was also unable to confirm whether any of the Personal Data Sets had been
exfiltrated as a result of the Incident. Upon discovery of the Incident, EPPL took prompt
remedial action by ceasing to use the Server immediately.
6

Findings and Basis for Determination

7

The two issues to be determined in this case are as follows:
(a)

Whether the Organisations had each complied with their obligations under
section 12 of the Personal Data Protection Act 2012 (the “PDPA”); and

(b)

Whether the Organisations had each complied with their obligations under
section 24 of the PDPA.
3

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

Whether EPPL, EIPL and ESPL had each complied with their obligations under section
12 of the PDPA
8

Section 12 of the PDPA requires organisations to, inter alia, develop and

implement policies and practices that are necessary for the organisation to meet its
obligations under the PDPA, and to communicate information about such policies and
practices to its staff (the “Accountability Obligation”).
9

In this regard, it is important to reiterate that an organisation’s Data Protection

Policies should be documented in a written policy, as per Re Furnituremart.sg [2017]
SGPDPC 7 at [14]:
“[t]he lack of a written policy is a big drawback to the protection of personal data. Without having
a policy in writing, employees and staff would not have a reference for the Organisation’s policies
and practices which they are to follow in order to protect personal data. Such policies and
practices would be ineffective if passed on by word of mouth, and indeed, the Organisation may
run the risk of the policies and practices being passed on incorrectly. Having a written policy is
conducive to the conduct of internal training, which is a necessary component of an internal data
protection programme.”

10

As mentioned at [2], EPPL, EIPL and ESPL operated as a group of companies

in the sharing of payroll processing services, which are centralised within the HR
department of EPPL. The Commission recognises the commercial benefits which arise
from centralising common corporate functions within a group of companies. In such
situations, one entity (the “Servicing Organisation”) provides corporate services to
other entities in the same corporate group (each a “Contracting Organisation”). If
the shared common corporate services involve the processing of personal data, the
Servicing Organisation would be acting as a data intermediary for each Contracting
Organisation.1
11

The common corporate service shared by the Organisations in the present case

was the payroll processing function. EIPL and ESPL were therefore permitted to
collect, without consent, their respective Affected Employees’ Personal Data Sets and

1

See the Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 2 June 2020) at [6.28].

4

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

disclose the same to EPPL for the purposes of managing the employment
relationship.2 In these circumstances, EPPL was:
(a)

A data controller with respect to its own Affected Employees’ Personal

Data Sets; and
(b)

EIPL and ESPL’s data intermediary with respect to their respective

Affected Employees’ Personal Data Sets that EPPL was processing on their
behalf.
12

The Organisations admitted that they did not have any written data protection

policies and relied only on verbal instructions to employees. Although the
Organisations are in the construction industry and, in this case, do not typically collect
personal data from customers, the Accountability Obligation required the
Organisations to put in place data protection policies in relation to the protection of
personal data of their respective employees.
13

In this regard, organisations operating as a group of companies may comply

with the Accountability Obligation through binding group-level written policies or intragroup agreements that set out a common and binding standard for the protection of
personal data across all organisations in the same corporate group. These binding
group-level written policies or intra-group agreements are akin to binding corporate
rules (“BCRs”) imposed by an organisation on its overseas recipient of the personal
data (in compliance with the Transfer Limitation Obligation under Section 26(1) of the
PDPA), which oblige the overseas recipient to provide a standard of protection to the
transferred personal data that is at least comparable to that under the PDPA. 3 Where
the corporate group is a multinational corporation (“MNC”) and the Contracting
Organisation transfers personal data to an overseas Servicing Organisation, the
binding group-level written policies, intra-group agreements or BCRs which meet the

2

See Second Schedule of the PDPA, para 1(o) and Fourth Schedule of the PDPA, para 1(s).
The Transfer Limitation Obligation under Section 26 of the PDPA requires an organisation that transfers
personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the
recipient of personal data is bound by legally enforceable obligations to provide to the transferred personal
data a standard of protection that is at least comparable to that under the PDPA.
3

5

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

requirements of the Protection Obligation under section 24 of the PDPA4 would also
meet the requirements of section 26(1) of the PDPA in relation to the Protection
Obligation.5
14

In the present case, the Organisations did not have any such binding group-

level written policies, intra-group agreements or BCRs. In the circumstances, I find
each of EPPL, EIPL and ESPL in breach of the Accountability Obligation.
Whether EPPL, EIPL and ESPL had contravened section 24 of the PDPA
15

Section 24 of the PDPA requires an organisation to protect personal data in its

possession or under its control by making reasonable security arrangements to
prevent unauthorised access, collection, use, disclosure, copying, modification or
similar risks (the “Protection Obligation”). The obligation to make reasonable security
arrangements does not attach unless the organisation is in possession or control of
personal data.
16

As mentioned at [10], EPPL was (i) a data controller with respect to its own

Affected Employees’ Personal Data Sets; and (ii) EIPL and ESPL’s data intermediary
with respect to their Affected Employees’ Personal Data Sets that EPPL was
processing on their behalf. In this regard, EPPL, EIPL and ESPL had possession
and/or control of the Affected Employees’ Personal Data Sets at the material time.
(a)

EPPL was in possession and control of the Affected Employees’ Personal Data
Sets. This was because the Organisations’ payroll processing functions were
centralised within the HR department of EPPL.

(b)

While EIPL and ESPL did not have possession of their respective Affected
Employees’ Personal Data Sets because they were centrally hosted on EPPL’s
Server, I find that EIPL and ESPL remained in control of their respective Affected
Employees’ Personal Data Sets as data controllers. This is because the

4
5

The Protection Obligation is explained at paragraph 14.
See, for illustration, Re Cigna Europe Insurance Company S.A.-N.V. [2019] SGPDPC 18 at [13].

6

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

processing of EIPL’s and ESPL’s Affected Employees Personal Data Sets by
EPPL was for EIPL’s and ESPL’s respective business purposes.6
17

Each of the Organisations were therefore obliged to put in place reasonable

security arrangements to protect the Affected Employees Personal Data Sets,
including preventing the risk of unauthorised modification. In the present case, the
Commission’s investigations into the Incident revealed that the ransomware had
encrypted all the files in the Server and its physical backup, including the Affected
Employees’ Personal Data Sets. The unauthorised modification of the Affected
Employees’ Personal Data Sets by the ransomware made it unreadable and unusable.
18

It is well established that a data controller should have in place a written contract

with its data intermediary that clearly specifies the data intermediaries’ obligation to
protect personal data. 7 That said, the relationship between the Organisations is a
relevant factor in determining the reasonable security measures expected of them to
comply with the Protection Obligation. In this regard, for a group of companies, the
written contract requirement between a Servicing Organisation and the Contracting
Organisation may be met by binding group-level written policies, intra-group
agreements or BCRs as discussed at [13] above.
19

In addition to a written agreement specifying data protection requirements, a

Contracting Organisation should also implement operational processes so as to be
able to exercise some form of supervision or control over the activities of the Servicing
Organisation when it processes personal data on the Contracting Organisation’s
behalf.8 Where the Servicing Organisation has specialised knowledge, skills and/or
tools for processing personal data, having a robust audit framework could be an
appropriate form of oversight. This may be particularly suited for MNCs which typically

6

See Re The Cellar Door Pte Ltd and another [2016] SGPDPC 22 at [17] – [18]; Re AIG Asia Pacific Insurance Pte
Ltd [2018] SGPDPC 8 at [18].
7

See the Commission’s Guide on Data Protection Clauses for Agreements relating to the Processing of Personal
Data (20 July 2016) at [4]; Re Singapore Telecommunications Limited [2017] PDPC 4 at [14]
8
The Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 2 June 2020) at [17.5] provides
that “[e]nsuring that IT service providers are able to provide the requisite standard of IT security” is an
example of a technical measure an organisation may use to protect personal data.

7

Everlast Projects Pte Ltd & Others

[2020] SGPDPC 20

conduct periodic internal and/or external audits and assessments to monitor
compliance by each organisation within the corporate group.9 Conversely, small and
medium-sized enterprises that only operate in Singapore are less likely to conduct
such compliance audits on each organisation in the corporate group in the areas of
cybersecurity and/or data protection. In such situations, appropriate oversight could
involve more simple processes. For example, requiring the Servicing Organisation to
explain to the Contracting Organisation the measures which would be taken to secure
personal data, with appropriate documentation to evidence this process (e.g. written
acknowledgement given by the Contracting Organisation to the Servicing
Organisation), and provide regular reports showing that it has put these processes in
place.
20

In the present case, both EIPL and ESPL failed to put in place reasonable

security arrangements to ensure that EPPL (who was their data intermediary for the
purposes of payroll processing) would protect their respective Affected Employees’
Personal Data Sets. There was no written contract, intra-group agreement or grouplevel written policies/BCRs setting out data protection requirements that EPPL was
obliged to comply with when processing EIPL’s and ESPL’s respective Affected
Employees’ Personal Data Sets. Notwithstanding that the Organisations conducted
their business operations from the same premises, both EIPL and ESPL also did not
implement any operational processes to supervise or exercise some form control over
EPPL to ensure EPPL protected their Affected Employees’ Personal Data Sets. In the
circumstances, I find each of EIPL and ESPL in breach of the Protection Obligation.
21

EPPL was also obliged to comply with the Protection Obligation. As mentioned

in [10], it was: (i) a data controller with respect to its own Affected Employees’ Personal
Data Sets; and (ii) EIPL and ESPL’s data intermediary with respect to their Affected
Employees’ Personal Data Sets. The Commission’s Investigations revealed that EPPL
did not put in place reasonable security arrangements to protect the Personal Data
Sets as explained below:

9

As an example, see Re Cigna Europe Insurance Company S.A.-N.V. [2019] SGPDPC 18 at [7(c)].

8

Everlast Projects Pte Ltd & Others

(a)

[2020] SGPDPC 20

EPPL did not install a firewall for the Server. Without a firewall, the Server and
corporate network was vulnerable to web-based security threats;10

(b)

EPPL did not conduct periodic security reviews of its IT systems, including
vulnerability scans of the Server, to assess the overall security of its IT
infrastructure. The requirement for organisations to conduct periodic security
reviews of its IT systems has been emphasized in previous decisions. 11
Conducting regular information and communication technology (“ICT”) security
audits, scans and tests to detect vulnerabilities help organisations to ensure
that ICT security controls developed and configured for the protection of
personal data are properly implemented. 12 The comprehensiveness of such
security reviews should be scoped based on the organisation’s assessment of
its data protection needs, and be conducted to a reasonable standard. The
scope and level of the review would depend on the type of personal data to be
protected. In this case, as the Personal Data Sets included personal data of a
financial nature (e.g. information relating to bank accounts and salaries), a
higher standard of periodic security review was required of EPPL in order to
comply with the Protection Obligation. If EPPL had conducted a security review
of its IT system to a reasonable standard, it would have discovered the absence
of a firewall for the Server; and

(c)

EPPL was unable to provide any written IT security policies (e.g. password
policy, policies for patching and updating of the company server, etc.). 13 In this
regard, EPPL conceded that they did not know what was required in order to
protect personal data in electronic form.

10

The Commission’s Guide to Securing Personal Data in Electronic Medium (20 January 2017) at [9.1] states as
follows: “It is important for an organisation to ensure that its corporate computer networks are secure.
Vulnerabilities in the network may allow cyber intrusion, which may lead to theft or unauthorised use of
electronic personal data. Defences that may be used to improve the security of networks include: […]
Firewalls”.
11
See, for example, Re WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 at [18], Re Bud Cosmetics [2019]
SGPDPC 1 at [24] and Re Chizzle Pte. Ltd. [2019] SGPDPC 44 at [6] to [8].
12
Commission’s Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017) at [6.1].
13
The Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 2 June 2020) at [17.5] provides
that “[s]ecurity arrangements may take various forms such as administrative measures, physical measures,
technical measures or a combination of these”. Having robust policies and procedures is an example of an
administrative measure an organisation may implement by way of security arrangements.

9

Everlast Projects Pte Ltd & Others

22

[2020] SGPDPC 20

For the reasons above, I also find EPPL in breach of the Protection Obligation.

Directions
23

In determining the directions, if any, to be imposed on EPPL, EIPL and ESPL

under section 29 of the PDPA, I took into account the following factors:
(a)

The Organisations had voluntarily notified the Commission of the Incident;

(b)

The Commission did not receive any complaints of the Personal Data Sets being
disclosed online or otherwise misused;

(c)

There was no evidence of exfiltration of the Personal Data Sets; and

(d)

An imposition of a financial penalty would impose a crippling burden and cause
undue financial hardship due to the financial position of the Organisations.

24

Having considered all the relevant factors of this case, I direct EPPL, EIPL and

ESPL to:
(a)

Develop and implement intra-group agreements or binding corporate

rules that set out a common and binding standard for the processing of personal
data when centralising common corporate activities within the group, within 90
days from the date of this direction;
(b)

Review and ensure that the internal policies within each of EPPL, EIPL

and ESPL are in line with the standards set forth in the intra-group agreements
or binding corporate rules, within 90 days from the date of this direction; and
(c)

Inform the Commission of the completion of the directions set out at

[23(a)] and [23(b)] within one week.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION
10

",Directions,6bf33286d1c3d26557836242297e0273d9b08921,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"