pdpc_decisions_version_detail (view)
4 rows where "date" is on date 2020-12-18
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 73 | 73 | 1 | 952 | A warning was issued to Water + Plants Lab for failing to put in place reasonable security arrangements to protect the personal data of its employees. The incident resulted in the personal data being subjected to a ransomware attack. | [
"Protection",
"Warning",
"Scientific and Technical",
"Ransomware",
"No Security Arrangements",
"No Patching"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Water--Plants-Lab-Pte-Ltd--181120.pdf | Protection | Breach of the Protection Obligation by Water + Plants Lab | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-protection-obligation-by-water--plants-lab | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6182 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Water + Plants Lab Pte. Ltd. SUMMARY OF THE DECISION 1. On 9 April 2020, Water + Plants Lab Pte. Ltd. (the “Organisation”) informed the Personal Data Protection Commission of a ransomware infection that rendered the Organisation’s server (the “Server”) inaccessible to the Organisation (the “Incident”). 2. The Incident occurred on or around 30 March 2020. Personal data of 28 employees were encrypted by the ransomware. The personal data affected included the employees’ name, NRIC/FIN/Work Permit number, address, date of birth, mobile number and photograph. 3. Investigations revealed that an employee from the Organisation had downloaded and opened an email attachment that contained ransomware. At the time of the Incident, the Organisation had some security measures in place, for example, it had anti-virus protection, and access rights and password control for the Server. It also had a good practice of performing regular backup of its Server, and most of the data was successfully restored from an external backup. The Organisation therefore suffered minimal data loss as a result of the Incident. 4. However, as admitted by the Organisation, it had not carried out any patching and security scanning of the Server in the 12 months preceding the Incident. Patching and regular security scanning are important security measures to prevent vulnerabilities in an organisation’s ICT systems which a hacker may exploit in compromising personal data. For this reason, the Deputy Commissioner for Personal Data Protection found that the Organisation had failed to protect the personal data in its possession or under its control, in breach of section 24 of the Personal Data Protection Act 2012. 5. Following the Incident, the Organisation installed a firewall with greater capabilities to protect the Organisation against external threats, for example, possessing deeper c… | Warning | eee08e16b63cd4fae6c7d3775b36bf12d04f634d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 74 | 74 | 1 | 952 | A warning was issued to R.I.S.E Aerospace for failing to put in place reasonable security arrangements to protect the personal data of its employees from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack. | [
"Protection",
"Warning",
"Manufacturing",
"Ransomware",
"No Security Arrangements",
"IT security policies"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---RISE-Aerospace-Pte-Ltd---131120.pdf | Protection | Breach of the Protection Obligation by R.I.S.E Aerospace | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-protection-obligation-by-rise-aerospace | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6832 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And R.I.S.E Aerospace Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2020, R.I.S.E Aerospace Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware infection that had rendered its network storage server inaccessible to the Organisation (the “Incident”). 2. The Incident occurred on or about 23 August 2020. Personal data of 21 employees were encrypted by the ransomware. The personal data encrypted included the name, address, contact number, NRIC number, Work Permit details, passport details. redacted bank account numbers, and child’s date of birth. 3. Investigations revealed that the Organisation had not implemented adequate technical security arrangements to protect the personal data in its possession or control, in particular, the Organisation did not carry out any security scans or perform updates to the server firmware despite being prompted to do so by the device manufacturer. In addition, the Organisation did not put in place any documented form of IT Security policies such as its password policy, policies for patching and updating of the company server etc. These failings had resulted in a system that had vulnerabilities which a hacker could exploit by injecting ransomware into the server. 4. Following the Incident, the Organisation had since discontinued the use of its network storage server and to opt for cloud storage instead. Additionally, the Organisation also decided to encrypt all its sensitive data and only store them on offline devices. 5. In the circumstances, the Deputy Commissioner for Personal Data Protection finds the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”) and took into account the following factors in deciding to issue a Warning to the Organisation. a. The low number of affected indivi… | Warning | 1400daa426845ef3c61fb74391afd631da480958 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 75 | 75 | 1 | 952 | A financial penalty of $8,000 was imposed on Hello Travel for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure. | [
"Protection",
"Financial Penalty",
"Information and Communications",
"Expedited",
"Exploitation",
"Vulnerability"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Hello-Travel-Pte-Ltd---301020.pdf | Protection | Breach of Protection Obligation by Hello Travel | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-protection-obligation-by-hello-travel | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6189 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Hello Travel Pte. Ltd. SUMMARY OF THE DECISION 1. On 8 April 2020, the Personal Data Protection Commission (the “Commission”) received information that a database belonging to Hello Travel Pte Ltd (the “Organisation”) was posted on an internet forum and was thus made publicly available (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the “PDPA”). 3. The compromised database contained the personal data of approximately 71,002 users who had created accounts at the Organisation’s website (www.havehalalwilltravel.com) from February 2015 to July 2018. The disclosed personal data included their name, email address, date of birth, nationality and phone number. The table below summarises the number of affected individuals for each corresponding type of personal data disclosed: S/N Type of Personal Data Number of Individuals Affected 4. 1 Name 71,002 2 Email Address 57,693 3 Phone Number 453 4 Date of Birth 946 5 Nationality 20,754 The Organisation’s internal investigations pointed to a possible hack as the cause of the Incident. Sometime in year 2018, the server instance which hosted the Organisation’s website and the database became corrupted and unusable after the installation of a free open source wordpress plugin. The Organisation believed that unknown parties could have exploited vulnerabilities of the installed plugin at that time and exfiltrated the database. 5. The Organisation admitted that it did not give due attention to personal data protection and had neglected to put in place basic procedural and technical security a… | Financial Penalty | 4d881a08a671b9937b7e44b95f8f13e43eadd144 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 76 | 76 | 1 | 952 | Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Construction",
"No Policy",
"Ransomware"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 20 Case No. DP-1908-B4369 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Everlast Projects Pte Ltd (2) Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd … Organisations DECISION Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369 30 October 2020 Introduction 1 On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the Personal Data Protection Commission (“Commission”) that its server (“Server”) had been hacked and all the files within it were encrypted by ransomware sometime in August 2019 (the “Incident”). Facts of the Case 2 EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd (“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of architectural metal works, glass and aluminium products. The Organisations are owned by the same shareholder, managed by the same directors, and operate from common premises. Two of the Organisations also have a common name, “Everlast”. The Organisations operated like a group of companies and centralised their payroll processing, such that the human resources (“HR”) department of EPPL was in charge of processing payrolls of not only its own employees, but also the employees of EIPL and ESPL. The Organisations’ employees’ personal data were stored in the Server, which was owned and maintained by EPPL. 3 On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite physical backup and a secondary cloud backup of the contents of the Server. The physical backup was affected by the ransomware and rendered unusable. A total of 384 individuals were affected by the Incident (the “Affected Employees”): 2 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Name of Organisation Number of employees affected EPPL 141 EIPL 239 ESPL 4 Total number of individuals 384 4 T… | Directions | 6bf33286d1c3d26557836242297e0273d9b08921 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;