pdpc_decisions_version_detail (view)
7 rows where "date" is on date 2020-01-09
This data as json, CSV (advanced)
Suggested facets: tags, nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 113 | 113 | 1 | 952 | A warning was issued to L’Oreal Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of individuals on its website. The personal data of 7 individuals were compromised from a data breach incident involving its website. | [
"Protection",
"Warning"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Loreal-Singapore-Pte-Ltd---261219.pdf | Protection | Breach of the Protection Obligation by L'Oreal Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-l-oreal-singapore | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1812-B3091 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And L’Oreal Singapore Pte. Ltd. SUMMARY OF THE DECISION 1. L’Oreal Singapore Pte Ltd (the “Organisation”) operated a website which had a login portal that enabled its customers to view their profile information, redeem vouchers and make enquiries about customer points (“Customer Login Page”). The customers’ profile information included their name, email address, postal address, mobile number and date of birth (the “Personal Data”). The development and maintenance of the website was carried out by a vendor engaged by the Organisation. 2. To improve the loading speed of the website, the Organisation instructed its vendor to make some changes to the website in November 2018. However, the Organisation failed to scope the User Acceptance Tests (“UATs”) to include the normal functioning of the website, in particular the login and caching functions of the Customer Login Page, after the code changes were introduced. As a result, when a customer (“Customer A”) logged into the Customer Login Page, his or her Personal Data would be cached. Customer A’s Personal Data would then be disclosed to customers who subsequently logged in to the Customer Login Page until the cache was refreshed. Similarly, the Personal Data of the second customer (“Customer B”), who logged in after the cache refresh, would be cached, leading to disclosure of Customer B’s Personal Data to the third customer who logs in next, and all subsequent customers until the next cache refresh. When the Organisation came to know of this, the Organisation disabled the Customer Login Page. The Organisation also engaged a consultant to assist in its investigations into the matter and to provide recommendations to prevent similar incidents in the future. 3. The Personal Data Protection Commission (“Commission”) found that Personal Data of 7 individuals had been exposed to the risk of unauthorised disclosure… | Warning | 4102189a17de6b15ab601751db63326670e4ef82 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 114 | 114 | 1 | 952 | A financial penalty of $15,000 was imposed on Creative for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of users of its online support forum. | [
"Protection",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Creative-Technology-Ltd--020120.pdf | Protection | Breach of the Protection Obligation by Creative | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-creative | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 1 Case No DP-1811-B3058 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Creative Technology Ltd … Organisation DECISION 1 Creative Technology Ltd Tan Kiat How, Commissioner — Case No DP-1811-B3058 2 January 2020 Facts of this Case 1 This case concerns an online support forum (the “Forum”) operated and hosted by Creative Technology Ltd (the “Organisation”). In November 2018, the Personal Data Protection Commission (the “Commission”) was informed that the Forum had been hacked sometime in mid-2018 resulting in the unauthorised disclosure of personal data of users of the Forum (the “Incident”). 2 The Organisation first set up the Forum some time in 2004 to help users share ideas and information relating to the Organisation’s products. In 2011, the Organisation adopted a thirdparty forum software known as “vBulletin” to operate and host the forum internally. Unknown to the Organisation, the vBulletin software had a SQL vulnerability which could allow hackers to extract information hosted on the platform using SQL injection techniques. The developers of the vBulletin software released patches to address this SQL vulnerability in 2016. However, the Organisation had not installed these patches at the time of the Incident. 3 On 25 May 2018, an unknown hacker used SQL injection techniques to obtain personal data of Forum users from the Forum’s database. In particular, the hacker exploited the vulnerability in the vBulletin software to launch SQL injection attacks by using the “Forumrunner” add-on1. 4 The Organisation first came to know of the Incident on 4 June 2018, when it was notified by a security researcher that he had received a set of user data extracted from the Forum. The Organisation subsequently found that 484,512 users’ account information had been accessed and extracted in the Incident.2 Of these, only 173,763 appeared to be legitimate email addresses with the remainder, in the Organisation’s … | Financial Penalty | 1d4e08be82b95f65085e2a8f991ad5845f795f48 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 115 | 115 | 1 | 952 | Directions, including a financial penalty of $20,000, were imposed on Society of Tourist Guides for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Society-of-Tourist-Guides-Singapore-261219.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Society of Tourist Guides | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-accountability-obligations-by-society-of-tourist-guides | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 48 Case No. DP-1903-B3445 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Society of Tourist Guides (Singapore) … Organisation DECISION Society of Tourist Guides (Singapore) [2019] SGPDPC 48 Tan Kiat How, Commissioner — Case No. DP-1903-B3445 26 December 2019 Introduction 1 On 3 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of individuals had apparently been exposed to unauthorised access and disclosure through links on the Society of Tourist Guides (Singapore)’s (the “Organisation”) website. Facts of the Case 2 The Organisation is a non-profit organisation that works with the Singapore Tourism Board (“STB”) to promote the professionalism of tourist guides as tourism ambassadors of Singapore. Tourist guides registered with STB may sign up as members of the Organisation (“Members”). In May 2018, the Organisation engaged a Vietnam-based IT company (the “Vendor”) to develop its website https://societyoftouristguides.org.sg (the “Website”). 3 One of the Organisation’s purposes for the Website was to collect personal data from its Members. Personal data was collected from Members through their respective user accounts on the Website and included their names, photographs, contact numbers, e-mail addresses and 2 a write-up of themselves (for example, with the type of services they provided) (“Profile Data”). Members could also upload images of their identification documents (e.g. NRIC, employment pass, driving and vocational licences) which contained various personal data (“ID Data”). 4 Members’ Profile Data were published on their respective public profile pages on the Website. This enabled members of the public to find and engage a Member with the necessary experience and expertise to provide services that he or she required. 5 As regards the ID Data, these were used by the Organisation for a few purposes. These included (i) applyin… | Directions, Financial Penalty | 00f2b94a482f683c070998c51833856ca9a1a01a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 116 | 116 | 1 | 952 | A financial penalty of S$5,000 was imposed on PeopleSearch for failing to put in place reasonable security arrangements to protect personal data of its clients. The incident resulted in the data being subjected to a ransomware attack. | [
"Protection",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---PeopleSearch-Pte-Ltd---261219.pdf | Protection | Breach of the Protection Obligation by PeopleSearch | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-peoplesearch | 2020-01-09 | PeopleSearch Pte. Ltd. [2019] SGPDPC 47 PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 47 Case No DP-1903-B3521 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PeopleSearch Pte. Ltd. … Organisations DECISION 1 PeopleSearch Pte. Ltd. [2019] SGPDPC 47 PeopleSearch Pte. Ltd. [2019] SGPDPC 47 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3521 26 December 2019 Introduction 1 PeopleSearch Pte. Ltd. (the “Organisation”) is a subsidiary of a listed Singapore company (“Listed Company”) that provides professional recruitment and flexible staffing services in Asia. On 15 March 2019, the Listed Company notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack suffered by the Organisation on 1 to 2 March 2019, which resulted in the Organisation not being able to access its clients’ personal data (the “Incident”). Facts of the Case 2 At the material time, the Organisation had a business division that managed outsourced payroll for the Organisation’s clients. In order to do so, the Organisation used a payroll software installed in a server in a virtual machine environment (the “VM Server”). The Organisation’s clients would connect to the VM Server through remote desktop protocol to use the payroll software. All the information (including personal data) in the payroll software was stored in a database that was hosted in the VM Server. 3 At the time of the Incident, the database included the following personal data of 472 individuals employed by 2 of the Organisation’s clients1 (collectively, “Employee Data”): (a) Name; (b) NRIC number; (c) Residential address; The payroll information of the Organisation’s other clients had been migrated from the VM Server to another server. This was in preparation for the Organisation’s business division managing outsource payroll being incorporated into a separate legal entity. 1 2 PeopleSearch Pte. Ltd. 4 (d) Contact number; (e) Email address; (f) Bank account number… | Financial Penalty | c4a52d4f14229d8cac99db0327d1480633fb17ae | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 117 | 117 | 1 | 952 | A financial penalty of $6,000 was imposed on National Healthcare Group for failing to put in place reasonable security arrangements to protect a list containing the personal data of partner doctors and members of the public from being publicly accessible online. | [
"Protection",
"Financial Penalty",
"Healthcare"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---National-Healthcare-Group-Pte-Ltd---261219.pdf | Protection | Breach of the Protection Obligation by National Healthcare Group | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-national-healthcare-group | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 46 Case No DP-1802-B1703 and DP-1802-B1765 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And National Healthcare Group Pte Ltd … Organisation DECISION National Healthcare Group Pte Ltd [2019] SGPDPC 46 National Healthcare Group Pte Ltd [2019] SGPDPC 46 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1703 and DP1802-B1765 26 December 2019 Introduction 1 On 10 February 2018, the National Healthcare Group Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) about a complaint it had received in relation to a list containing personal information of partner doctors of the Organisation (the “List”) which was accessible on the Internet (the “Incident”). Subsequently, on 28 February 2018, the Commission received a separate complaint over the Incident. Facts of the Case 2 On 17 March 2015, the Organisation awarded a developer (“Website Developer”) a contract to develop its website (the “Website”). The Organisation specified the Website’s functional requirements and contents. A company specialising in IT services (“IT Services Provider”) provided the Organisation with IT support. In this regard, the IT Services Provider ensured that the IT specifications of the Organisation were complied with by the Web Developer, which included coordinating and verifying bug fixes and remedies 2 National Healthcare Group Pte Ltd [2019] SGPDPC 46 of security vulnerabilities implemented by the Web Developer. During the process of developing the Website, a section for restricting access to the Website (including the List) was not included in a web configuration file. 1 The Organisation, Website Developer and IT Services Provider signed off on the Website’s functional requirements specification, user acceptance test cases, and website commissioning. The relevant web configuration file was not examined before the Website went “live” in December 2015. 3 Around June or July 201… | Financial Penalty | 29d3c0d5771aa5ddfea72dcff51a0ef0c5dde45a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 118 | 118 | 1 | 952 | Directions, including a financial penalty of $10,000, were imposed on SAFRA for failing to put in place reasonable security arrangements to protect the personal data of the members of its Shooting Club. SAFRA was also directed to review its internal processes to put in place process safeguards and written internal standard operating procedures to protect the personal data of its members. | [
"Protection",
"Directions",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SAFRA---161219.pdf | Protection | Breach of the Protection Obligation by SAFRA National Service Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-safra-national-service-association | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 45 Case No DP-1809-B2711 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SAFRA National Service Association … Organisation DECISION 1 SAFRA National Service Association [2019] SGPDPC 45 Yeong Zee Kin, Deputy Commissioner — Case No DP-1809-B2711 16 December 2019 Facts of the Case 1 On 13 September 2018, the Personal Data Protection Commission (the “Commission”) received a voluntary breach notification from SAFRA National Service Association (the “Organisation”). An employee of the Organisation (the “Employee”) who had sent out two separate batches of e-mails attaching an Excel spreadsheet (the “Spreadsheet”) containing the personal data of certain members of the Organisation’s shooting club (the “SSC”) to other members (the “Incident”). 2 According to the Employee, his job scope included sending mass e-mails to SSC members. He has been sending such e-mails since September 2016 at least once a month. According to him, he was not aware of any SOPs for sending of such mass emails. The Employee claims that his supervisor had instructed him verbally on the process. First, prepare proposed e-mail, and attach a spreadsheet containing intended recipients’ e-mail addresses extracted from another internal system. Next, send this draft email from his individual work email account to the official SSC e-mail account. Thereafter, copy the intended recipients’ emails addresses into the draft email, and delete the attached spreadsheet, before sending out the mass email. This is the process that the Employee has been following whenever he sends mass e-mails to SSC members, as was the case during the Incident. 3 The Organisation claims that it was not aware of this process for mass e-mails. However, its staff were briefed on the practice of using the bcc function when sending mass emails and were verbally instructed to “check and ensure that no unnecessary information or document (including those which contain personal… | Directions, Financial Penalty | 010708766ce21b512c280cfe9da288cff633f350 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 119 | 119 | 1 | 952 | A financial penalty of $34,000 was imposed on Globalsign.in for failing to put in place reasonable security arrangements to protect the personal data supplied by its clients. Globalsign.in, which sends mass marketing emails on behalf of its clients to their respective customers, was also found to be holding personal data which was no longer necessary for legal or business purposes. | [
"Protection",
"Retention Limitation",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--MSIG-Insurance-Singapore-Pte-Ltd--191119.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Obligations by Globalsign.in Pte Ltd | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-retention-obligations-by-globalsignin-pte-ltd | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 43 Case Nos. DP-1708-B1066; DP-1708-B1086 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) (2) MSIG Insurance (Singapore) Pte Ltd Globalsign.in Pte Ltd …Organisation(s) DECISION Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 (1) MSIG Insurance (Singapore) Pte Ltd (2) Globalsign.in Pte Ltd [2019] SGPDPC 43 Mr Tan Kiat How, Commissioner – Case Nos. DP-1708-B1066; DP-1708-B1086 19 November 2019 Introduction and Material Facts 1. MSIG Insurance (Singapore) Pte Ltd (“MSIG”) notified the Personal Data Protection Commission (the “Commission”) on 22 August 2017 that the mass emailing system of its service provider, Globalsign.in Pte Ltd’s (“GSI”), had been accessed without authorisation and used to send spam emails (the “Incident”) to 149,172 email addresses which belonged to MSIG’s customers (“Impacted Customers”). 2. GSI runs and hosts an email marketing platform known as “Global2Mail Online Marketing Web Application” (the “G2M” platform). GSI uses the G2M platform to send mass marketing emails to email addresses supplied by its clients. 3. MSIG, an insurance provider, had engaged GSI to send marketing emails to its customers via the G2M platform. For this purpose, MSIG and GSI had entered into an agreement dated 1 October 2013. An addendum to the said agreement was entered into on 16 May 2014 to take into consideration the obligations of both organisations under the Personal Data Protection Act 2012 (the “PDPA”). GSI’s services were renewed by MSIG, with MSIG and GSI entering into a new agreement on 1 August 2017 (the “Agreements”). 4. MSIG provided GSI with a list of email addresses of its customers each time an email marketing campaign was launched. For some of the email addresses, MSIG also provided the first and last names to GSI and these would be captured in the G2M platform. According to MSIG, the email addresses and names (where applicable) provided to GSI were password-protected… | Financial Penalty | 4c9d4905f641206cd304485dcb39659ee42e32db | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;