pdpc_decisions_version_detail (view)
7 rows where "date" is on date 2020-02-11
This data as json, CSV (advanced)
Suggested facets: tags, nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 106 | 106 | 1 | 952 | Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1903-B3531 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Henry Park Primary School Parents’ Association SUMMARY OF THE DECISION 1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered society whose membership comprised parent volunteers. To register as members of the Organisation, individuals provided to the Organisation their names, contact numbers, name of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The Organisation had a website at https://hppa.org.sg (the “Website”) where members could view their own account particulars upon logging in using their assigned user ID and password. 2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”) received a complaint. The complainant informed that when she performed a Google search using her name, she found a search result of a webpage of the Website which disclosed her personal data (the “Incident”). 3. The Personal Data Sets of registered members were never intended to be disclosed online. The Website had been developed by a parent volunteer using the WordPress content management system. 4. The Organisation had conducted tests to verify that members who logged in to the Website could view their own account particulars. The Organisation also verified that account particulars could not be viewed when accessing the Website as a public user. Nevertheless, the Personal Data Set was crawled, indexed and searchable by Google. This points to a weakness in access control that had not been picked up by these rudimentary tests. 5. Security testing such as vulnerability scans would have identified the access control issue. The Organisation failed to conduct adequate security testing before launching the Website. On the above facts, the Commission found that the Organisation did not put in place reasonable security arrangements to protect the Personal Data Sets. 6. The Commission also… | Directions | 79c294efa7335db9a6489bfae8e1c1eedccbf23b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 107 | 107 | 1 | 952 | A warning was issued to AXA Insurance for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its policyholders. The personal data of 87 individuals was sent in an email to an unintended recipient. | [
"Protection",
"Warning"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---AXA-SG.pdf | Protection | Breach of the Protection Obligation by AXA Insurance | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-axa-insurance | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4201 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And AXA Insurance Pte. Ltd. SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received a complaint on 4 July 2019 against AXA Insurance Pte. Ltd. (the “Organisation”). The complaint was about an email (the “Email”) sent with a scanned document (the “Attachment”) containing personal data of 87 other policyholders (the “Affected Individuals”) to the Complainant on 28 June 2019. (the “Incident”). 2. The Attachment was an internal email correspondence of the Organisation that contained the names, NRIC numbers, insurance policy numbers and the details of the servicing agents of the Affected Individuals (the “Personal Data”). The Attachment was not meant for the Complainant. 3. The Organisation admitted that during scanning of documents by its employees, it did not have a process to segregate documents intended for internal record purposes from documents for customers. 4. The Organisation’s customer care specialist who retrieved the scanned document which formed the Attachment also failed to check the Attachment before sending out the Email. 5. The Commission found that these lapses in processes resulted in the Incident. The lapses pointed to a failure by the Organisation to make reasonable security arrangements to protect the personal data of its policyholders from inadvertent disclosure by its employees. The Organisation was therefore found in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. The Commission has decided to issue a warning to the Organisation after considering the admission of liability by the Organisation, the impact of the breach and the corrective measures taken. | Warning | 71d45bf5b66f5336bd2c59fa788260822e8e796d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 108 | 108 | 1 | 952 | A warning was issued to NTUC Income for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data to users making enquiries through its website. 123 users received automated acknowledgement emails attached with files containing personal data belonging to 17 individuals. | [
"Protection",
"Warning"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NTUC-Income-Insurance-Co-Operative-Limited--24012020.pdf | Protection | Breach of the Protection Obligation by NTUC Income | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-ntuc-income | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4288 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And NTUC Income Insurance Co-Operative Limited SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) was notified on 17 July 2019 by NTUC Income Insurance Co-Operative Limited’s (the “Organisation”) of the unintended disclosure of personal data to users making enquiries through its website. The users received automated acknowledgement emails attached with files containing personal data of other individuals (the “Incident”). 2. On 10 July 2019, the Organisation enhanced the website’s online enquiry application to allow users to upload supporting documents together with their enquiry submissions. When a user A uploaded files, the application assigned a variable that served to identify the files for future retrieval by the same user or by the Organisation. However, due to a coding error, if the next user B did not upload files, the variable generated for the preceding user was applied to the B’s submission. As a result, the supporting documents uploaded by A were associated with B’s submission. 3. This coding error manifested in the sending of acknowledgement emails, which were intended to include supporting documents submitted by the user. When acknowledgement emails were generated for a user who did not upload files, the coding error caused the files uploaded by a preceding user to be attached. There were 17 users whose uploaded files were sent to 123 other users in this way. The files contained their personal data, such as names, policy numbers, premium amounts, sum assured and period of coverage, email and mailing addresses. 4. The Organisation admitted that the Incident was caused by poor quality codes. The Commission found that such errors should have been detected during the manual code review process that the Organisation had conducted. Further, before the enhancement went “live”, the Organisation’s tests did n… | Warning | 50f8e6a44f01ed62a2f3b441bf9c89a658c16419 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 109 | 109 | 1 | 952 | A financial penalty of $16,000 was imposed on Royal Caribbean Cruises (Asia) for failing to put in place reasonable security arrangements to protect the personal data of its customers. The personal data was subjected to a ransomware attack. | [
"Protection",
"Financial Penalty"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Royal-Caribbean-04022020.pdf | Protection | Breach of the Protection Obligation by Royal Caribbean Cruises (Asia) | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-royal-caribbean-cruises-(asia) | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 5 Case Nos.: DP-1904-B3721 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Royal Caribbean Cruises (Asia) Pte. Ltd. … Organisation DECISION 1 Royal Caribbean Cruises (Asia) Pte. Ltd. [2020] SGPDPC 5 Tan Kiat How, Commissioner — Case No. DP-1904-B3721 4 February 2020 Introduction 1 On 14 April 2019, Royal Caribbean Cruises (Asia) Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the systems of one of the Organisation’s vendors (the “IT Vendor”) had been subject to a cyber-attack, resulting in the personal data of some of the Organisation’s customers being exposed to unauthorised access (the “Incident”). Facts of the Case 2 In early 2017, the Organisation engaged the IT Vendor to develop and supply the Organisation with an electronic receipt system to generate and store electronic receipts with respect to payments made by the Organisation’s customers for cruise and holiday bookings (the “Receipt System”). The initial plan was for the Receipt System to be hosted on the Organisation’s internal server. However, after taking into consideration that the Receipt System would need to be accessed from external Internet Protocol (“IP”) addresses during events and roadshows, the Organisation asked the IT Vendor to host the Receipt System on an Amazon Web Services (“AWS”) server. The Receipt System was installed on an AWS Server in December 2017 and the Organisation started using the Receipt System at the end of January 2018. 3 On 11 April 2019, the Organisation encountered difficulties operating the Receipt System and reported the issue to the IT Vendor. On 12 April 2019, the IT Vendor informed the Organisation that the Receipt System had been subject to a cyber-attack. The cyber-attacker had deleted the database in the Receipt System, and replaced it with a ransom message demanding payment of 0.08 Bitcoins in order to recover the deleted data. 2 4 The foll… | Financial Penalty | 9e050b9f6c3568f6a2dff1cb150947fe99ed4f03 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 110 | 110 | 1 | 952 | A financial penalty of $26,000 was imposed on SPH Magazines for failing to put in place reasonable security arrangements to prevent the unauthorised access of personal data of members of HardwareZone forum site. | [
"Protection",
"Financial Penalty"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SPH-Magazines-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by SPH Magazines | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-sph-magazines | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 3 Case No DP-1802-B1731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SPH Magazines Pte Ltd … Organisation DECISION 1 SPH Magazines Pte Ltd [2020] SGPDPC 3 Tan Kiat How, Commissioner — Case No DP-1802-B1731 31 January 2020 Facts of the Case 1 On 20 February 2018, SPH Magazines Pte Ltd (the “Organisation”) voluntarily notified the Personal Data Protection Commission (the “Commission”) that the account of a senior moderator of its HardwareZone forum site (the “Forum”) had been accessed by an unknown hacker who used the senior moderator’s credentials to retrieve personal data of members of the Forum. The Organisation subsequently discovered through its consultants who were engaged to assist in its investigations into the incident that the senior moderator’s email address and password had been published on a credential leak database on 5 December 2017. The Organisation believed that the hacker had obtained the senior moderator’s credentials from this source or other similar databases as its investigations showed that its systems and applications had not been compromised during the incident. 2 The Organisation operates, hosts and maintains the Forum, an online Internet portal for members to engage in discussions on technology and other matters. Members are required to provide their usernames, email addresses, full names and passwords during registration and this personal data would form part of a member’s user profile. Members also have the option of including the following personal data in their user profile: (a) Year of Birth (b) Gender (c) Country (d) Education (e) Job Scope (f) Role in IT Procurement 2 3 (g) Occupation (h) Industry (i) Company Size (j) Monthly Income (range) (k) Area of interest (l) Home Page URL (m) Use of MSN, Yahoo, ICQ, AIM, Skype Senior moderators of the Forum are volunteers selected by the Organisation from amongst the members of the Forum and app… | Financial Penalty | 0ccae1ff28f90d66c28dd2491e593155803069f2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 111 | 111 | 1 | 952 | A financial penalty of $15,000 was imposed on SCAL Academy for failing to put in place reasonable security arrangements to protect the personal data of individuals on its website. These individuals had provided their personal data to SCAL Academy for registration purposes to attend its courses, seminars or workshops. | [
"Protection",
"Financial Penalty"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SCAL-Academy---080120.pdf | Protection | Breach of the Protection Obligation by SCAL Academy | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-scal-academy | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 2 Case No. DP-1811-B3061 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SCAL Academy Pte. Ltd. … Organisation DECISION SCAL Academy Pte. Ltd. [2020] SGPDPC 2 Tan Kiat How, Commissioner — Case No. DP-1811-B3061 8 January 2020 Introduction 1 SCAL Academy Pte. Ltd. (the “Organisation”) provides courses, seminars and workshops for individuals (the “Participants”) and collects personal data of Participants through its website, http://www.scal-academy.com.sg (the “Website”), for registration purposes. The Website was developed and maintained by a freelance vendor (the “Vendor”). 2 On 29 November 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that the results of an online search of the names of Participants displayed links to scanned copies of registration documents (the “Documents”) on the Website (the “Incident”). The Documents were accessible by clicking on the listed links. 3 The Documents contained various personal data of 3,628 Participants including their name, race, nationality, date of birth, gender, country of birth, NRIC or work permit number, address, occupation and the name of the company the Participants were employed by (the “Compromised Personal Data”). 4 The cause of the Incident was traced to an enhancement to the Website (the “Enhancement”) which allowed Participants to upload the Documents directly onto a folder (the “Folder”) on the Website. The Vendor had been tasked with developing the Enhancement on 7 February 2018 and, in the course of doing so, the Vendor omitted to programme the Enhancement to verify that only authorised employees can access the Folder. The Documents were thus accessible without the need for login credentials. Additionally, the Vendor had also, through an oversight, omitted to implement another requirement, which is to implement Google’s recommendations to prevent bot crawlers from searching and indexing website content. 5… | Financial Penalty | 8f0ad290a860ac8ce3ca4cbe3b5a690b72561ff9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 112 | 112 | 1 | 952 | A financial penalty of $9,000 was imposed on Singtel for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of some of its customers via its My Singtel mobile application. | [
"Protection",
"Financial Penalty",
"Accommodation and F&B"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunications-Limited-311219.pdf | Protection | Breach of the Protection Obligation by Singtel | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-singtel | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 49 Case No. DP-1802-B1732 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited … Organisation DECISION 1 Singapore Telecommunications Limited Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1732 31 December 2019 Introduction 1 On 21 February 2018, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual mobile subscriber of Singapore Telecommunications Limited (the “Organisation”) asserting that when the subscriber accessed account details using the Organistion’s “MySingTel” mobile application (the “App”), the subscriber was able to view the personal information of another subscriber. Facts of the Case 2 The Commission’s investigations revealed that due to a technical issue that occurred during a limited period, certain mobile subscribers of the Organisation were able to view the personal data of other subscribers when they used the App (the “Incident”). The Incident took place over a period of approximately 11 hours on 20 February 2018 and the personal data of 750 subscribers (the “Affected Subscribers”) were exposed to the risk of access by other subscribers. Of these, the personal data of 39 subscribers were, in fact, accessed by other subscribers. The specific cause of this incident is described below. 3 The Incident arose during the Organisation’s migration of its database of mobile customer accounts from its existing billing system (the “Existing System”) to a new billing system (the “New System”). [Redacted]. 4 However, an issue arose when there was a mobile number previously assigned to a subscriber (“historical numbers”) that was subsequently reassigned to another subscriber. One situation in which this happened was when a subscriber ported over an existing mobile number from another mobile telephone operator to the Organisation. In order to effect the porting over, the Organisation would first issue the subscr… | Financial Penalty | e2d462d64ec0e10bc672b4850fabd12bb0f0d993 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;