_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,64,64,1,952,"A warning was issued to Flying Cape, a data intermediary, for failing to put in place reasonable security arrangements to protect the personal data of 191 users of a website. Flying Cape was managing the website on behalf of its client.","[""Protection"", ""Warning"", ""Information and Communications"", ""Ransomware"", ""Data Intermediary"", ""Online Storage Bucket""]",2021-04-15,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Flying-Cape-Pte-Ltd---17032021.pdf,Protection,Breach of the Protection Obligation by Flying Cape,https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-flying-cape,2021-04-15,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2011-B7385
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
(1) Flying Cape Pte Ltd
(2) ACCA Singapore Pte Ltd

SUMMARY OF THE DECISION

1.

Sometime between 25 September 2020 to 5 October 2020, the personal data of 191 users
(the “Affected Individuals”) of www.accapdhub.com (the “Website”) was exfiltrated
by an unauthorised party (the “Incident”).The exfiltrated personal data comprised of the
names, email addresses and contact numbers of the Affected Individuals (“the
Exfiltrated Data”).

2.

The Website was owned by ACCA Singapore Pte Ltd (“ACCA”), but hosted, managed,
and operated by Flying Cape Pte Ltd (“FCPL”) as ACCA’s data intermediary. FCPL
notified the Personal Data Protection Commission (the “Commission”) of the Incident
on 12 November 2020, after having received a ransom demand in respect of the
Exfiltrated Data.

3.

Sometime in early September 2020, as part of its management of the Website, FCPL
extracted the personal data of the Affected Individuals from the database of the Website

into an excel file. An FCPL employee who was assigned to work with the excel file failed
to protect the file with a password or encrypt it as required by FCPL’s IT policy.
Moreover, the employee incorrectly stored the excel file in a publicly accessible online
storage bucket, as opposed to the correct, secured storage bucket. These lapses were
believed to have led to the Incident.

4.

Pursuant to section 53(1) of the PDPA, FCPL is liable for acts done by employees. The
question therefore becomes whether FCPL had taken reasonable steps to prevent or
detect mistakes such as the one made by the employee. The investigations did not surface
any arrangements to supervise or verify its employees’ compliance with its internal
policies or detect non-compliance. The Deputy Commissioner for Personal Data
Protection therefore found that FCPL had breached the Protection Obligation under
section 24 of the Personal Data Protection Act 2012 (the “PDPA”) in respect of the
Exfiltrated Data.

5.

As the data controller and owner of the Website, ACCA owed the Protection Obligation
in respect of the Exfiltrated Data as well. The Deputy Commissioner is satisfied that
ACCA discharged this obligation by (i) carrying out a due diligence assessment of
FCPL’s data protection policies and practices before their engagement, and (ii) by
stipulating data protection requirements in its contract when engaging with FCPL.

6.

Taking into account the circumstances of the case, and in particular the factors below,
the Deputy Commissioner for Personal Data Protection found ACCA not in breach of
the PDPA and decided to issue a Warning to FCPL:

a. The number of the Affected Individuals was low;
b. The Exfiltrated Data was of a low sensitivity;
c. FCPL took immediate remedial actions to prevent the occurrence of a similar
incident; and
d. FCPL voluntary notified the Commission of the Incident.

7.

In view of the remedial actions taken by FCPL, no directions were issued.

",Warning,816c141c71713a45a7d40c205c4815198b33af42,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,65,65,1,952,A warning was issued to St. Joseph's Institution International for failing to put in place reasonable security arrangements to protect the personal data in its possession. The incident resulted in the personal data being at risk of unauthorised access.,"[""Protection"", ""Warning"", ""Education"", ""Google Chrome Extension"", ""Virus""]",2021-04-15,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--St-Josephs-Institution-International-Ltd--12032021.pdf,Protection,Breach of the Protection Obligation by St. Joseph's Institution International,https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-st-josephs-institution-international,2021-04-15,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2010-B7196
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
St. Joseph’s Institution International Ltd.

SUMMARY OF THE DECISION
1. On 16 October 2020, St Joseph’s Institution International Ltd. (the
“Organisation”) informed the Personal Data Protection Commission that a file
listing the personal data of 3155 parents and students (“the File”) was found
on a website called VirusTotal (the “Incident”).
2. The Incident occurred on or around 13 October 2020 when a staff of the
Organisation downloaded and deployed a Google Chrome browser extension
developed by VirusTotal for additional security scanning. Unknown to the staff,
apart from security scanning, the extension also forwarded scanned samples
to premium members of VirusTotal (the “3rd Parties”) for security analysis and
research. This use of samples was made known in VirusTotal’s privacy policy
covering the use of the extension.
3. As a result of the Incident, the personal data of 3155 individuals including both
parents and students were put at risk of unauthorised access. The personal
data affected included the names of parents and students, parents’ email
addresses, students’ date of birth, students’ classes, students’ year and grades.
4. Users of the VirusTotal Chrome extension would have to agree to VirusTotal’s
Privacy Policy, which provides that once files are uploaded to the VirusTotal
website for scanning, copies of these files will be kept by VirusTotal and shared
with their subscribers for research purposes. The risk of such file sharing and
in turn disclosure of personal data to 3rd Parties ought to have been known to
the said staff of the Organisation, but was overlooked due to oversight. Such
oversight could have been prevented if the Organisation had sufficiently robust
processes for assessing such risks prior to deploying downloaded software,
including Chrome Extensions. However, the Organisation lacked such
processes.

5. Nevertheless, the Organisation took prompt action to mitigate the effects of the
breach by contacting VirusTotal immediately to remove the File and notified all
affected individuals. While personal data was disclosed, it was limited to
premium members of VirusTotal for research purposes only.
6. On the facts, the Deputy Commissioner for Personal Data Protection found the
Organisation in breach of the Protection Obligation under section 24 of the
Personal Data Protection Act 2012. However, in consideration of the limited risk
of personal data being disclosed, and the Organisation’s commitment to
improve its processes, a Warning was issued to the Organisation.
7. The Commission reminds all organisations that they must have sufficiently
robust processes to obtain a functional understanding of software to be
deployed, in order to assess the security risks to personal data in their
possession or control. Failure to do so would be breach of the Protection
Obligation.

",Warning,8c090a898191be97b97f6c86d047026a0a44edff,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,66,66,1,952,"Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA.","[""Accountability"", ""Protection"", ""Directions"", ""Others"", ""No Policy"", ""Access control"", ""Indexing""]",2021-04-15,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf,"Accountability, Protection",Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer,https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer,2021-04-15,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2010-B7132

In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Chapel of Christ the Redeemer

SUMMARY OF THE DECISION

1.

On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the
Personal Data Protection Commission (the “Commission”) that a file (the “File”)
containing personal data of 815 members’ name, NRIC, address, date of birth, marital
status, email address, mobile and residential phone number was inadvertently disclosed
online.

2.

Investigations revealed that a staff had accidentally uploaded the File (which was
supposed to be an internal document) onto the sub-directory on 24 November 2019. The
Organisation only discovered the matter on 8 September 2020 when a member of the
Organisation performed a Google search of another member’s name and found a Google
search result of the File.

3.

The Organisation admitted that there were no access controls to the sub-directory prior
to the incident as the sub-directory was intended to be accessible to public. As a result,
the File was indexed by search engines and showed up in online search results. The
Organisation also admitted that at the time of the incident, the Organisation had not
developed any internal policies and practices to ensure compliance with the Personal
Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for
the uploading of files on the Organisation’s website.

4.

Fortuitously, it appeared that the access to the File was minimal – based on Google
Analytics Report, save for the Organisation’s member who discovered the File on the
internet on 8 September 2020, there was only one other access to the File on 9 December
2019, and the access only lasted for approximately 1 minute.

5.

Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly
check of all files uploaded onto the website to detect any accidental uploading of
incorrect files; and a policy to delete files that are on the website for more than three
months. The Organisation has also informed the Commission that it intends to engage a
consultant to conduct PDPA training for its staff, as well as to review the data protection
processes within the Organisation to ensure compliance with the PDPA.

6.

In view of the facts stated at [3] above, the Deputy Commissioner for Personal Data
Protection found the Organisation in breach of section 12 of the PDPA (the obligation to

develop and implement data protection policies and practices), and section 24 of the
PDPA (the obligation to protect personal data in an organisation’s possession or under
its control by making reasonable security arrangements).

7.

In determining the directions to be imposed on the Organisation under section 29 of the
PDPA, the following factors were taken into account:

(a) The Organisations had voluntarily notified the Commission of the incident, fully
cooperated with the Commission’s investigations and implemented prompt remedial
measures to address the breach; and

(b) There was minimal access to the File and no evidence that the personal data had been
misused.

8.

In the circumstances, the Deputy Commissioner would not be imposing any financial
penalty on the Organisation. However, in light of the Organisation’s lack of the necessary
data protection policies and practices, the Deputy Commissioner hereby directs the
Organisation to:

(a) Develop and implement internal data protection policies and practices to comply
with the provisions of the Act within 90 days from the date of the direction, and

(b) Inform the Commission within 1 week of implementation of the above.

",Directions,3af9997c53409121b23cd38f9ec106f784e3648c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,67,67,1,952,"A financial penalty of $29,000 was imposed on Tripartite Alliance for failing to put in place reasonable security arrangements to prevent the unauthorised access of approximately 20,000 individuals’ and companies’ data stored in its customer relationship system database.","[""Protection"", ""Financial Penalty"", ""Social Service"", ""Ransomware"", ""Scope of Duties"", ""Third Party Vendor""]",2021-04-15,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tripartite-Alliance-Limited---16032021.pdf,Protection,Breach of the Protection Obligation by Tripartite Alliance,https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-obligation-by-tripartite-alliance,2021-04-15,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2003-B6000
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Tripartite Alliance Limited

SUMMARY OF THE DECISION
1.

On 3 March 2020, Tripartite Alliance Limited (the “Organisation”) notified the Personal
Data Protection Commission (the “Commission”) that a server hosting its customer
relationship management (“CRM”) system was infected with ransomware on or around
17 February 2020.

2.

The Organisation subsequently requested for this matter to be handled under the
Commission’s expedited breach decision procedure. In this regard, the Organisation
voluntarily provided and unequivocally admitted to the facts set out in this decision. It
also admitted that it was in breach of section 24 of the Personal Data Protection Act (the
“PDPA”).

The Incident
3.

The Organisation is in the business of promoting fair and progressive employment
practices, as well as providing mediation and advice in employment–related disputes.
1

4.

The CRM system is a Software-as-a-Service (“SaaS”) solution provided by a software
service provider engaged by the Organisation (the “Vendor”). The Organisation uses the
CRM system to handle employment-related enquiries, feedback and complaints.

5.

At the time of the incident, the CRM system contained approximately 12,000 individuals’
and 8,000 companies’ data (including information of the companies’ representatives).
The types of data affected for each individual varied, but may include an individual’s
name, identification number, contact number, email address, age, race, marital status,
salary and compensation amount (if applicable).

6.

On 17 February 2020, the CRM system was unavailable to users. The Vendor managed
to restore the CRM system from a back-up copy within the next three hours.

7.

Upon investigations, the Organisation determined that the CRM system suffered a
ransomware attack. In particular, security logs obtained from the Vendor showed that
hacking attempts were made on the database server between 7 and 14 February 2020.

8.

The Organisation claimed that it had, since June 2019, expanded the scope of the IT
services procured from the Vendor to include security monitoring services for the CRM
system, such as the blocking of cyber-attacks based on alerts. However, there was
inadequate process put in place to ensure that the Vendor proactively monitor the alerts
and take actions to block malicious activities in a timely manner. Nevertheless, the
2

Organisation accepts that it had the responsibility to ensure that the Vendor had the same
understanding on its duty of care under the monitoring services contract and to oversee
and supervise the work of the Vendor through clear instructions on regular reporting and
updates by the Vendor.

9.

Following the incident, the Organisation started close monitoring of the Vendor’s IT
services support on a weekly basis to ensure timely update of patches and follow-ups on
security alerts received. The Organisation also undertook an organisation-wide review to
strengthen its management of all its third-party IT service providers, such as requesting
these service providers to conduct cybersecurity audits, vulnerability assessment and
penetration testing for the Organisation’s existing IT systems. The Organisation also
informed the Commission that it will be migrating to a new CRM system and is currently
working to terminate the existing CRM system.

10.

The Organisation informed the Commission that the database in the CRM system was
not protected by encryption at the time of the incident, which made the database
vulnerable for exposure. However, there was no evidence that the hacker had exfiltrated
the database.

The Organisation’s Admission and the Commission’s Decision
11.

The Organisation admitted that it had breached the Protection Obligation under section
24 of the PDPA in failing to ensure that the Vendor had duly discharged its contractual
data protection obligations. In particular, the Organisation admitted that it had not
3

monitored the Vendor’s performance to ensure that the Vendor met the required
information security standards.

12.

As stated in previous decisions by the Commission1, organisations have to give proper
instructions and exercise reasonable oversight over their vendors to ensure that their
outsourced providers are indeed delivering the services contracted. Without reasonable
oversight, the risk from any failure will fall on the organisation. In the circumstances, the
Commissioner found that the Organisation was in breach of the Protection Obligation
under section 24 of the PDPA.

13.

As for the Vendor, it was a SaaS provider who provided the CRM system, including
maintenance support, and security monitoring services. These services did not entail the
processing of personal data. As such, the Vendor was not a “data intermediary” of the
Organisation. Accordingly, the Vendor was not responsible for the protection of the
individuals’ personal data under the PDPA in respect of the incident.

14.

In determining the directions to be imposed on the Organisation for the breach, the
Commissioner took into account the following factors:

1

See for example, Re Smiling Orchid (S) Pte Ltd and Ors [2016] SGPDPC 19, Re Royal Caribbean Cruises
(Asia) Pte Ltd [2020] SGPDPC 5, and Re SCAL Academy Pte. Ltd. [2020] SGPDPC 2.

4

Aggravating
(a) The high number of affected individuals, which is approximately 20,000;
(b) The nature of the affected data. In particular, the database contained details of
employment-related complaints and disputes. Individuals would expect a high level
of confidence when they convey such matters to the Organisation for handling;

Mitigating
(c) The Organisation’s upfront admission of breach of the Protection Obligation, and the
prompt remedial actions to mitigate the effects and prevent recurrence of the incident;
and
(d) There was no evidence of exfiltration of the database in the CRM system.

15.

On account of the above, the Organisation is directed to pay a financial penalty of
$29,000 within 30 days from the date of this direction. In view of the remedial action of
the Organisation, the Commission will not be issuing any other directions.

5

",Financial Penalty,0cdce22d84405d3787ba0a1ff0507d00cb8cec7f,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"