pdpc_decisions_version_detail (view)
3 rows where "date" is on date 2021-01-14
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 70 | 70 | 1 | 952 | A financial penalty of $5,000 was imposed on BLS International Services Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of the personal data of individuals who had submitted a booking for an appointment on its website. | [
"Protection",
"Financial Penalty",
"Information and Communications",
"Inadequate scoping of testing",
"URL manipulation"
] |
2021-01-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---BLS-International-Services-Singapore-Pte,-d-,-Ltd,-d-,-30112020-(003).pdf | Protection | Breach of the Protection Obligation by BLS International Services Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/breach-of-the-protection-obligation-by-bls-international-services-singapore | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6563 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And BLS International Services Singapore Pte. Ltd. SUMMARY OF THE DECISION 1. BLS International Services Singapore Pte. Ltd. (the “Organisation”) provides government-to-citizen services for the High Commission of India in Singapore, such as visa and consular services. 2. On 7 July 2020, the Personal Data Protection Commission (the “Commission”) received information that the URLs of the printable version of appointment booking confirmation webpages could be manipulated to access other individuals’ personal data (the “Incident”). The personal data comprised the individual’s name, passport number, contact number, email address, type of service request, booking date/time, appointment date/time, and number of booking applications. 3. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the “PDPA”). 4. Investigations revealed that on 8 June 2020, which was about a month prior to the Incident, the Organisation had implemented a new booking system for the High Commission of India. Under this new booking system, users who submitted a booking for an appointment at the High Commission of India would be provided with an URL, which led to a printable version of the booking confirmation. In designing the booking system, the Organisation had intended for the URLs to be encrypted. This would have made it more difficult for people to manipulate the URL. However, the encryption was not done properly due to a coding error. Although the Organisation had conducted some testing on the new booking system, the testing was not extensive enough to detect the error. 5. Upon realising the occurrence o… | Financial Penalty | 258d44ffd944015c9b8f9f9ffd545a6b10bb6fee | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 71 | 71 | 1 | 952 | A financial penalty of $9,000 was imposed on The Future of Cooking for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of its customers’ personal data on its website. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade",
"Data Intermediary",
"Protection",
"Security"
] |
2021-01-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---The-Future-of-Cooking-Pte-Ltd-20112020-(003).pdf | Protection | Breach of the Protection Obligation by The Future of Cooking | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/breach-of-the-protection-obligation-by-the-future-of-cooking | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2001-B5620 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Future of Cooking Pte. Ltd. SUMMARY OF THE DECISION 1. The Future of Cooking Pte. Ltd. (the “TFC”) operates an e-commerce website at https://www.thermomix.com.sg (the “Website”), retailing kitchen appliances and accessories. 2. On 3 January 2020, the Personal Data Protection Commission (the “Commission”) received a complaint that a text file (the “File”) containing personal data was accessible via the URL: https://thermomix.com.sg/wp-content/uploads/2019/10/woocommerce-orderexport-1.csv-1.txt. (the “Incident”). 3. The File contained the personal data of 178 unique individuals who had purchased items from the Website. The File was accessible via the URL from 1 October 2019 until 6 January 2020. It contained the following types of personal data (the “Personal Data”): a. Name; b. Email Address; c. Billing Address; d. Shipping Address; e. Customer Notes (e.g. delivery instructions); f. Order information (such as payment status, mode of payment, and transaction ID); g. Product ID of items; h. Quantity of items ordered; and i. Telephone number. The Commission’s Findings No breach by Hachi as a Data Intermediary 4. TFC had engaged Hachi Web Solutions Pte. Ltd. (“Hachi”) to re-design the Website and also perform data backup and migration. Insofar as the data backup and migration activities are concerned, Hachi was TFC’s data intermediary. The cause of the breach, however, did not relate to the data processing activities but to the Website re-design. Therefore, Hachi was not in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”) by virtue of its role as a data intermediary. TFC in breach of the Protection Obligation 5. The cause of the data breach may be traced to a WordPress plugin (the “Plugin”) which was installed on the Website. The Plugin contained a bug which caused the File to be generated and u… | Financial Penalty | 7255b9fe4b2433c5774bed593dd6215b52226a70 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 72 | 72 | 1 | 952 | Singapore Technologies Engineering was found not in breach of the PDPA in relation to the transfer of the personal data of its Singapore-based employees to its subsidiaries based in United States. | [
"Transfer Limitation",
"Not in Breach",
"Manufacturing",
"Ransomware"
] |
2021-01-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----ST-Engineering-Ltd---16112020.pdf | Transfer Limitation | No Breach of the Transfer Limitation Obligation by Singapore Technologies Engineering | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/no-breach-of-the-transfer-limitation-obligation-by-singapore-technologies-engineering | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 21 Case No. DP-2006-B6426 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Technologies Engineering Limited … Organisation DECISION Singapore Technologies Engineering Limited [2020] SGPDPC 21 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6426 16 November 2020 Introduction 1 On 10 June 2020, Singapore Technologies Engineering Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that its subsidiary based in the United States of America (“USA”), VT San Antonio Aerospace Inc. (“VT SAA”), had discovered a cybersecurity incident where threat actors gained unauthorised access to VT SAA’s US-based IT network and deployed a ransomware attack (the “Incident”). Facts of the Case 2 The Organisation is a Singapore incorporated company with a network of subsidiaries in Asia, Europe, USA and the Middle East. The ransomware attack was isolated to a limited part of VT SAA’s network, but also affected a few of the Organisation’s subsidiaries based in the USA that were using IT shared services provided by VT SAA. The Organisation’s IT network in Singapore was not compromised during the Incident. However, the following types of personal data belonging to 287 individuals in Singapore (“Affected 1 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Individuals”) were potentially exposed to the risk of unauthorised access (collectively, the “Personal Data Sets”)1: (a) Name; (b) Address; (c) Email address; (d) Telephone number; (e) NRIC number and date of issue; (f) Passport details; (g) Photograph; (h) Date of birth; (i) Citizenship; (j) Country of residence; (k) Place of birth; (l) USA Social Security number; (m) USA visa information; (n) Details regarding government or military service, where applicable; (o) CV information; (p) Foreign identification numbers; … | Not in Breach | e80b77152c3052ff0a5870f8773669cd59a36872 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;