pdpc_decisions_version_detail (view)

4 rows where "date" is on date 2021-06-10

View and edit SQL

This data as json, CSV (advanced)

Suggested facets: nature, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)

_commit_at _commit_hash _id _item _version _commit description tags date pdf-url nature title url timestamp pdf-content decision _item_full_hash _changed_columns
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 58 58 1 952 A financial penalty of $7,000 was imposed on Larsen & Toubro Infotech for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of job applicants, and for disclosing the personal data of job applicants without their consent. 
[
    "Protection",
    "Consent",
    "Financial Penalty",
    "Information and Communications",
    "Protection",
    "Consent",
    "Sample forms",
    "Email",
    "Recruitment"
]
 2021-06-10 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Larsen--Toubro-Infotech-Limited-Singapore-Branch-06052021.pdf Protection, Consent Breach of the Protection and Consent Obligation by Larsen & Toubro Infotech https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-consent-obligation-by-larsen-toubro-infotech 2021-06-10 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7464 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Larsen & Toubro Infotech Limited, Singapore Branch SUMMARY OF THE DECISION 1. On 29 November 2020, the Personal Data Protection Commission (the “Commission”) received a complaint against Larsen & Toubro Infotech Limited, Singapore Branch (“LTI”) from an LTI job applicant. 2. On 25 November 2020, an LTI employee had emailed the complainant a set of sample forms which contained the personal data of a past job applicant. The LTI employee had sent the complainant those sample forms to assist him in filling up his own forms correctly. 3. Subsequently, on 3 December 2020, another LTI employee sent an email reminder to the complainant and 53 other job applicants to complete their application process. The email contained all of the job applicants’ respective names, with their email addresses placed in the “To” field and thus visible to all recipients. 4. Once notified of the complaint by the Commission, LTI undertook a review of its employees’ emails for the period from 2016 to 2020, and uncovered 73 other instances where past job applicants’ personal data had been disclosed to other job applicants. 5. In total, 13 past job applicants’ forms were disclosed by 10 of LTI’s employees to 74 other job applicants. The personal data disclosed in the forms comprised: a. Name; b. Signature; c. Email address; d. National Identification/ passport numbers; e. Date of Birth; f. Address; g. Contact number; h. Medical health status; i. Employment history; j. Salary information; and k. Criminal records disclosure. 6. The Deputy Commissioner for Personal Data Protection finds that LTI negligently contravened the Protection Obligation under section 24 of the Personal Data Protection Act 2012 by failing to provide adequate instructions to its employees dealing with recruitment matters on how to handle personal data. LTI also negligently contravened the Consent Obligation und… Financial Penalty bd9f440070a5521214d61291f17b40de724a111a 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 59 59 1 952 A financial penalty of $25,000 was imposed on Webcada for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA. 
[
    "Protection",
    "Accountability",
    "Financial Penalty",
    "Information and Communications",
    "Ransomware",
    "IPMI",
    "Database servers",
    "No Written Policy"
]
 2021-06-10 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Webcada-Pte-Ltd-06052021.pdf Protection, Accountability Breach of the Protection and Accountability Obligation by Webcada https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-accountability-obligation-by-webcada 2021-06-10 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B6931 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Webcada Pte Ltd SUMMARY OF THE DECISION 1. On 4 September 2020, Webcada Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that three of its database servers had been subjected to a ransomware attack on 29 August 2020 (the “Incident”). 2. The personal data of 522,722 individuals were affected in the Incident. The datasets affected comprised of the individuals’ names, phone numbers, dates of birth, addresses and order histories. 3. Following the Incident, the Organisation engaged an independent third-party consultant to investigate, review and assist in the implementation of additional data protection measures. 4. Investigations revealed that the ransomware had been uploaded onto the affected servers via the Intelligent Platform Management Interface ("IPMI"). The IPMI is a set of computer interface specifications used for remote monitoring and management of servers. There was no evidence of data exfiltration, and all affected data was restored from available back-ups. 5. The Organisation took the following remedial measures after the Incident: (a) IPMI was permanently disabled for all servers; (b) The public IP address of all servers was removed and all remote management access to the servers was configured to allow only trusted IP addresses; (c) End-point protection software with threat hunting capabilities was installed on all servers and computers within the Organisation; and (d) A written data protection policy was developed and implemented to comply with the provisions of the Personal Data Protection Act 2012 (the "PDPA"). 6. In its representations to the PDPC, the Organisation admitted to having breached the Accountability Obligation under section 12 and the Protection Obligation under section 24 of the PDPA, and requested for the matter to be dealt with in accordance with the PDPC’s Expedited Decisi… Financial Penalty a8330d4666d7631b3e448330fd698843754474f4 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 60 60 1 952 A financial penalty of $35,000 was imposed on HMI Institute for failing to put in place reasonable security arrangements to protect personal data stored in its server. This resulted in the data being subjected to a ransomware attack. 
[
    "Protection",
    "Financial Penalty",
    "Education",
    "Ransomware",
    "Third Party Vendor",
    "Scope of Duties",
    "Open RDP Port",
    "Remote Desktop Protocol"
]
 2021-06-10 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HMI-Institute-of-Health-Sciences---20052021.pdf Protection Breach of the Protection Obligation by HMI Institute of Health Sciences https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-hmi-institute-of-health-sciences 2021-06-10 PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 4 Cases No DP-1912-B5434 / DP-1912-B5564 / DP-1912-B5558 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And HMI Institute of Health Sciences Pte. Ltd. … Organisation DECISION HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4 Lew Chuen Hong, Commissioner — Cases No. DP-1912-B5434 / DP-1912-B5564 / DP-1912-B5558 20 May 2021 Introduction 1 On 4 December 2019, a file server (the “Server”) belonging to HMI Institute of Health Sciences Pte. Ltd. (the “Organisation”) was affected by a ransomware attack. The ransomware encrypted and denied access to various files on the Server, including files containing personal data of the Organisation’s staff and trainees (the “Incident”). 2 On 7 December 2019, the Organisation informed the Personal Data Protection Commission (“Commission”) of the Incident. The Commission subsequently received two separate complaints about the Incident. Background 3 The Organisation is a dedicated private provider of healthcare training to individuals (“Participants”) in Singapore. In the course of carrying out its business activities, the Organisation collects personal data from, among others, (i) its employees, including temporary and contract staff such as associate trainers, (“Employees”) for the purposes of managing or terminating such employment relationships, and (ii) the Participants, for the purposes of registration and the administration of their enrolment in the Organisation’s training courses. 4 The Server affected by ransomware was set up in 2014 and was located in Singapore. It was owned by the Organisation but maintained by the Organisation’s appointed IT solution service provider (the “Vendor”). The Server stored personal data in Microsoft Word or Excel files, most but not all of which were password-protected. 5 The Server was protected by a firewall that blocked all connections to the Server, except for those through port 3389, a standard port which was used for… Financial Penalty 65d2d1e1ed47bb4f1dba6c7af5b321b1ae19c7c3 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 61 61 1 952 A financial penalty of $8,000 was imposed on ST Logistics for failing to put in place reasonable security arrangements to prevent the unauthorised access of 2,400 MINDEF and SAF personnel's personal data. 
[
    "Protection",
    "Financial Penalty",
    "Transport and Storage",
    "Phishing",
    "Malware"
]
 2021-06-10 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---ST-Logistics-Pte-Ltd---26102020.pdf Protection Breach of the Protection Obligation by ST Logistics https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-st-logistics 2021-06-10 PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 19 Case Nos. DP-1912-B5514 and DP-1912-B5559 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ST Logistics Pte Ltd … Organisation DECISION ST Logistics Pte Ltd [2020] SGPDPC 19 Lew Chuen Hong, Commissioner — Case Nos. DP-1912-B5514 and DP1912-B5559 26 October 2020 Introduction 1 Phishing attacks are increasingly prevalent and are one of the top cybersecurity threats faced by organisations1. In its latest report, the Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore last year, almost triple the number of cases in 20182. This case is yet another example of an organisation falling victim to phishing. 2 On 16 December 2019, ST Logistics Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the Organisation had detected an Emoted malware (“Emotet”) in their network which had infected 6 of its users’ laptops (including 4 laptops containing personal data), potentially affecting up to 4,000 individuals in the Ministry of 1 Phishing is a method employed by cyber criminals, often disguising themselves as legitimate individuals or reputable organisations, to fraudulently obtain personal data and other sensitive or confidential information. Once cyber criminals obtain an individual’s personal data, they may gain access to the individual’s online accounts and may impersonate the individual to scam persons known to the individual. See Cyber Security Agency of Singapore, Cyber Tip – Spot Signs of Phishing (25 February 2020) https://www.csa.gov.sg/gosafeonline/go-safe-forme/homeinternetusers/spot-signs-of-phishing. 2 See “Phishing attacks last year tripled from 2018”, The Straits Times, 27 June 2020. ST Logistics Pte Ltd [2020] SGPDPC 19 Defence (“MINDEF”) and Singapore Armed Forces (“SAF”) (the “Incident”). Subsequently, on 23 December 2019, the Commission received a complaint from an individual affected by the Incident. Facts of the … Financial Penalty 50724d913acafbfd43b21653cd18c545ba471871 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]

Advanced export

JSON shape: default, array, newline-delimited

CSV options: 

CREATE VIEW pdpc_decisions_version_detail AS select
  commits.commit_at as _commit_at,
  commits.hash as _commit_hash,
  pdpc_decisions_version.*,
  (
    select json_group_array(name) from columns
    where id in (
      select column from pdpc_decisions_changed
      where item_version = pdpc_decisions_version._id
    )
) as _changed_columns
from pdpc_decisions_version
  join commits on commits.id = pdpc_decisions_version._commit;