_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,37,37,1,952,Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA.,"[""Accountability"", ""Directions"", ""Construction"", ""No DPO""]",2022-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf,Accountability,Breach of Accountability Obligation by ACL Construction (S),https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction,2022-04-21,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ACL Construction (S) Pte Ltd SUMMARY OF THE DECISION 1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”) was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a company that provides pre-fabricated structures, structural steel products and construction services, was being offered for sale on the darkweb by one “Prometheus” (the “Incident”). 2. Investigations revealed that a few days ago, three ACL staff - a designer and two sales executives had experienced difficulties when they tried to log in to access their files. Thereafter, the ACL staff discovered that the files had been encrypted. The Organisation then sought external IT support. 3. The Organisation informed the Commission that the affected files contained the following data related to their projects: (i) Quotation folder – quotations (to clients and from suppliers), delivery orders, invoices and other supporting documents; (ii) Common folder – project document and photographs; and Page 1 of 3 (iii) Drawing folder – CAD drawings. 4. Our investigations revealed that the affected files contained the names of the Organisation’s customers, the relevant liaison person, their business contact number(s) and/or business email(s). As the names, business contact numbers and business emails were not provided by the individuals concerned for a personal purpose, they would constitute “business contact information” as defined under the Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have suffered a data breach, no personal data was in fact affected. 5. This finding alone would have brought the matter to a close. However, in the course of our investigations, the Commission found out that the Organisation had failed to designate one or more individuals, commonly known as a Data Protection Officer (“DPO”), to be responsible for ensuring that the Organisation complies with the PDPA, as required under section 11(3) of the PDPA. The Organisation’s omission to have any data protection policies in place meant that it was also in breach of section 12(a) of the PDPA. 6. The Commission is cognizant that by virtue of the nature of the Organisation’s business, the Organisation primarily deals with business contact information from its corporate clients. Having said that, while no personal data may have been affected as a result of the Incident, the Organisation still has to comply with the accountability obligation, as set out in sections 11 and 12 of the PDPA so as to protect the personal data of its employees, and any other personal data it may incidentally process, come into control or possession of. Page 2 of 3 7. The Commission notes that after the Incident, the Organisation took prompt remedial actions and duly appointed a member of its staff to be responsible for ensuring that the Organisation complies with the PDPA. 8. Nonetheless, bearing in mind the Organisation’s low level of awareness of its obligations under the PDPA, the Commission considered that it would be most appropriate in lieu of imposing a financial penalty, to direct the Organisation to comply with the following: a. To develop and implement policies and practices to comply with the provisions of the PDPA; and b. Put in place a programme of compulsory training for employees of ACL on compliance with the PDPA when handling personal data. The following is the provision of the Personal Data Protection Act 2012 cited in the above summary: Compliance with PDPA 11(3). An organisation must designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. Policies and practices 12(a). An Organisation must develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under the PDPA. Page 3 of 3 ",Directions,e5d93d363b4513ab709353939decc81ce04eb8a1,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,38,38,1,952,"A financial penalty of $35,000 was imposed on GeniusU for failing to put in place reasonable security arrangements to prevent the unauthorised access and exfiltration of individuals' personal data stored in its staging database.","[""Protection"", ""Financial Penalty"", ""Education""]",2022-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---GeniusU-Pte-Ltd--180122.pdf,Protection,Breach of the Protection Obligation by GeniusU,https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-protection-obligation-by-geniusu,2022-04-21,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2101-B7725 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And GeniusU Pte. Ltd. SUMMARY OF THE DECISION 1. On 12 January 2021, GeniusU Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of unauthorized access and exfiltration of a staging application database (the “Database”) holding personal data (the “Incident”). 2. The personal data of approximately 1.26 million users were affected. The datasets affected comprised first and last name, email address, location and last sign-in IP address. 3. The Organisation’s internal investigations revealed that the likely cause of the Incident was compromise of one of its developer’s password, either because the developer used a weak password for his GitHub account or the password for his GitHub account had been compromised. This allowed the threat actor to enter 1 the Organisation’s GitHub environment. As the Organisation had stored the login credentials to the Database in the codebase in its GitHub environment, the threat actor was able to gain access to and exfiltrate personal data stored in the Database. 4. The Organisation took the following remedial measures after the Incident: a. Rotated the credentials of the Database; b. Removed all hard-coded credentials from the codebase; c. Purged all existing website sessions; d. Removed all personal data from non-production environment servers, e. Implemented multi-factor authentication on all work-related accounts; f. Implemented a standardised cyber security policy and related procedures for all staff; and g. 5. Notified users and the GDPR data authority (Ireland) of the Incident. The Commission accepted the Organisation’s request for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation had voluntarily provided and unequivocally admitted 2 to the facts set out in this decision. The Organisation also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 6. Based on its admissions, the Organisation had breached the Protection Obligation by: a. Storing credentials for the Database in the codebase in its GitHub environment. This meant that once the threat actor was able to access the GitHub environment, he was able to discover the credentials to access personal data stored in the Database; and b. Storing actual personal data in the Database that was in a nonproduction (testing) environment, which are usually not as secure as production environments. Actual personal data should not be stored in testing environments, which are known to be less secure. 7. In the circumstances, the Organisation is found to be in breach of section 24 of the PDPA. 8. Having considered the circumstances set out above and the factors listed at section 48J(6) of the PDPA and the circumstances of the case, including (i) the Organisation’s upfront voluntary admission of liability which significantly reduced 3 the time and resources required for investigations; and (ii) the prompt remedial actions undertaken by the Organisation, the Organisation is given a notice to pay a financial penalty of $35,000. 9. The Organisation must make payment of the financial penalty within 30 days from the notice accompanying date this decision, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 10. In view of the remedial actions taken by the Organisation, the Commission will not issue any directions under section 48I of the PDPA. The following is the provision of the Personal Data Protection Act 2012 cited in the above summary: Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent – (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. 4 ",Financial Penalty,7a86d2d632c8b7dd6e2f8666a6255cf824652a01,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,39,39,1,952,"A financial penalty of $20,000 was imposed on Trinity Christian Centre for failing to put in place reasonable security arrangements to prevent the unauthorised access of individuals' personal data hosted in its database servers.","[""Protection"", ""Financial Penalty"", ""Arts, Entertainment and Recreation"", ""Ransomware"", ""Remote Desktop Protocol""]",2022-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Trinity-Christian-Centre-Limited---03022022.pdf,Protection,Breach of the Protection Obligation by Trinity Christian Centre,https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-protection-obligation-by-trinity-christian-centre,2022-04-21,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Trinity Christian Centre Limited SUMMARY OF THE DECISION 1. On 11 March 2021, Trinity Christian Centre Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that its database servers containing personal data were infected with ransomware on or around 17 February 2021 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 1 The Incident 3. The Organisation runs Trinity Christian Church in Singapore. 4. At the time of the Incident, the database servers contained 72,285 individuals’ data. The types of data affected for each individual varied, and included at times an individual’s name, full identification number, residential address, contact number, email address, photograph, date of birth, age, marital status, education level, and/or description of medical condition (if applicable). 5. Investigations by the Organisation revealed that the Organisation maintained an open and publicly exposed remote desktop protocol port. This allowed a threat actor with access to compromised administrator account credentials to enter the Organisation’s network and database servers to execute ransomware attack on 17 February 2021, rendering the databases inaccessible. 6. The Organisation managed to restore the affected databases from its back-up copies. Based on the Organisation’s investigations, there was no evidence to suggest that the threat actor exfiltrated the Organisation’s databases. The Organisation’s Admission 7. The Organisation admitted that it had breached the Protection Obligation under section 24 of the PDPA as: 2 a. It could have implemented separate access controls (i.e. separate logins) to protect the databases containing personal data; and b. The initial unauthorised entry to the Organisation’s network was through an administrator account that the Organisation had assigned to an IT vendor it had engaged to develop and test applications. The Organisation conceded that it failed to stipulate data protection requirements on its vendor. Remediation 8. Following the Incident, the Organisation notified its church members on 8 April 2021. The Organisation changed all user and administrator passwords, closed all unused and open ports used for remote access and restricted logon access with domain administrator privileges to servers and workstations. A security review was also conducted and the Organisation implemented real time threat monitoring, detection, and response measures. The Commission’s Decision 9. As noted earlier, the Organisation admitted that it was in breach of section 24 of the PDPA as it could have implemented separate access controls to protect the databases containing personal data. In our view, the number and type of personal data sets in the possession or under the control of the Organisation created a 3 security need for stronger access control beyond reliance on frontend password protection. Indeed, with increasingly sophisticated phishing and social engineering techniques, adding another layer of protection to protect backend database servers, and manage the risks that frontend login credentials may be compromised was a reasonable security measure, which the Organisation also accepted. 10. The Commission had also previously emphasised in our decisions1 and in the Commission’s Guide to Managing Data Intermediaries that organisations that engage IT vendors should ensure that their IT vendors are aware of the need for personal data protection by making it part of their contractual terms. 11. The Organisation admitted that its contract with its IT vendor only contained a general confidentiality clause not to disclose information obtained without the Organisation’s prior written consent. Even though the Organisation was well aware that its IT vendor would process personal data, the Organisation failed to stipulate within the contract any requirements on the vendor to protect the church members’ personal data, thereby breaching section 24 of the PDPA. 12. In determining the directions to be imposed on the Organisation for the breach, the Commissioner took into account the following factors: 1 See examples – Jigyasa [2020] SGPDPC 9, MDIS Corporation Pte Ltd [2020] SGPDPC 11 and Civil Service Club [2020] SGPDPC 15. 4 Aggravating (a) The high number of affected individuals of 72,285 which included approximately 8,300 minors; (b) The nature of the affected data. In particular, the affected databases contained descriptions of medical conditions provided by individuals counselling services and overseas mission applications. Individuals would expect a high level of confidence when they convey such information to the Organisation for handling; Mitigating (c) The Organisation’s upfront admission of breach of the Protection Obligation, and the prompt remedial actions to mitigate the effects and prevent recurrence of the Incident; and (d) There was no evidence of exfiltration of the Organisation’s databases. 13. On account of the above, the Organisation is directed to pay a financial penalty of $20,000 within 30 days from the date of this direction. In view of the remedial action of the Organisation, the Commission will not be issuing any other directions. 5 The following provision of the Personal Data Protection Act 2012 had been cited in the above summary: Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent – (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. 6 ",Financial Penalty,1b58e6ca07c13ad8238e25acd672c8231540a608,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"