pdpc_decisions_version_detail (view)
4 rows where "date" is on date 2021-10-14
This data as json, CSV (advanced)
Suggested facets: nature, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 47 | 47 | 1 | 952 | A financial penalty of $10,000 was imposed on ChampionTutor for failing to put in place reasonable security arrangements to protect personal data in its possession. The incident resulted in the personal data being exposed. | [
"Protection",
"Financial Penalty",
"Education"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ChampionTutor-Inc-Private-Limited--10082021.pdf | Protection | Breach of the Protection Obligation by ChampionTutor | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-obligation-by-championtutor | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2103-B7984 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ChampionTutor Inc. (Private Limited) SUMMARY OF THE DECISION 1. On 24 February 2021, the Personal Data Protection Commission (the “Commission”) received information that ChampionTutor Inc. (Private Limited)’s (the “Organisation”) database, containing personal data of individuals, was being sold on dark web (the “Incident”). 2. The Organisation was not aware of the Incident until it was notified by the Commission. The cause of the Incident was suspected to be SQL injection of the Organisation’s website. The Organisation knew about this SQL injection vulnerability when it conducted a penetration test in December 2020. The Organisation had instructed its developer, based in India, to fix the vulnerability. However, the developer did not act on the request and this vulnerability was left unfixed until the Incident happened. 3. As a result, the personal data of 4,625 students were affected. The personal data included name, email address, contact number and address. 4. The Organisation took the following remedial measures after the Incident: a. Engaged a new team of developers to fix all the SQL injection vulnerabilities; b. Parameterised SQL statements by disallowing data-directed context changes to prevent SQL injection attacks from resurfacing; and c. Is in the process of revamping the entire website source codes to reduce possible vulnerabilities. 5. The Organisation admitted to having breached the Protection Obligation under section 24 of the Personal Data Protection Act (the “PDPA”), and requested for the matter to be dealt with in accordance with the Commission’s Expedited Decision Procedure. 6. The Organisation admitted it was aware of the SQL injection vulnerability in December 2020. Yet, the Organisation failed to take active steps to fix the vulnerability even when its developer was not responsive, purportedly due to the COVID-19 pandemic, a… | Financial Penalty | 001064522a1c6277a0c24b9cf1a09495440cf2e8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 48 | 48 | 1 | 952 | A warning was issued to The National Kidney Foundation for failing to put in place reasonable security to protect the personal data in its possession. The incident resulted in personal data being downloaded. | [
"Protection",
"Warning",
"Healthcare",
"Phishing",
"Email"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---The-National-Kidney-Foundation---15092021.pdf | Protection | Breach of the Protection Obligation by The National Kidney Foundation | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-obligation-by-the-national-kidney-foundation | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 10 Case No DP-2005-B6353 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The National Kidney Foundation … Organisation DECISION The National Kidney Foundation [2021] SGPDPC 10 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2005-B6353 15 September 2021 Introduction 1 On 22 May 2020, the Personal Data Protection Commission (the “Commission”) received a data breach notification from the National Kidney Foundation (the “Organisation”). The Organisation had discovered that on 17 May 2020, a hacker had gained access to the work email account of one of its employees (“Employee A”) and had likely exfiltrated the personal data contained in the email account (the “Incident”). Background 2 The Organisation is a prominent non-profit health organisation in Singapore that provides health services, including subsidised kidney dialysis. Employee A is an executive in the Organisation’s Clinical Operations department. which deals with implementation of operations policies, budget planning and working with medical and nursing management team to uphold healthcare standards. The Incident 3 Investigations revealed that, on 14 May 2020, Employee A received a phishing email containing a hyperlink to a website with a further link to another website seeking his account credentials. The hacker is believed to have obtained Employee A’s account credentials in this way. Thereafter, the hacker accessed Employee A’s email account (the “Email Account”) and synchronised the mailbox on 17 May 2020. In doing so, the hacker is believed to have downloaded all the data stored in the Email Account in its entirety. The hacker also used Employee A’s email account to send phishing emails to 1,039 external business contacts of the Organisation, and 9 email accounts belonging to persons within the Organisation. Whilst these 1 phishing emails contained a link to a phishing webpage, they did not disclose any personal data collected from the E… | Warning | 4095cd546dacd60ce1e477d8e6d816e126775088 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 49 | 49 | 1 | 952 | Directions were issued to J & R Bossini Fashion for breaches of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to its parent company in Hong Kong and the protection of its employees’ personal data stored in its servers in Singapore. | [
"Protection",
"Transfer Limitation",
"Directions",
"Wholesale and Retail Trade"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---J--R-Bossini-Fashion-Pte-Ltd---18082021.pdf | Protection, Transfer Limitation | Breach of the Protection and Transfer Limitation Obligations by J & R Bossini Fashion | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-and-transfer-limitation-obligations-by-j-r-bossini-fashion | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 9 Case No. DP-2006-B6440 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And J & R Bossini Fashion Pte Ltd … Organisation DECISION J & R Bossini Fashion Pte Ltd [2021] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6440 18 August 2021 Introduction 1 On 13 June 2020, J & R Bossini Fashion Pte Ltd (“the Organisation”) notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the IT systems of the Organisation’s group of companies on or around 27 May 2020 (“the Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a company incorporated in Singapore, and a subsidiary of Bossini International Holdings Limited, a company listed on the Stock Exchange of Hong Kong (“Bossini Holdings”). Bossini Holdings and its subsidiaries (“the Group”) are in the business of garment retail and brand franchising. 3 The Group’s IT systems and infrastructure across different regions (including Singapore) are centrally managed by Bossini Holdings from Hong Kong. While most of the Group’s production servers are located in Hong Kong, at the material time, the Organisation maintained two servers and various workstations for its staff in Singapore which were connected to the Group’s network in Hong Kong by way of a virtual private network (“VPN”). 2 Personal data collected by the Organisation 4 Sometime prior to 2017, the Organisation collected personal data from customers and prospective customers in Singapore for the purposes of administering a customer loyalty programme. The personal data collected comprised of each individual’s: (a) Name; (b) NRIC number, (c) Phone number, (d) Email address, (e) Residential address, (f) Date of birth; and (g) Gende… | Directions | 0705137f0dd7129af2528c049cc49cf5edda8502 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 50 | 50 | 1 | 952 | A financial penalty of $37,500 was imposed on Stylez for failing to put in place reasonable security arrangements to protect personal data of its customers and cease retaining data when the purpose of collection no longer exists. As a result, the personal data of its customers was publicly exposed. A direction was also issued to Stylez to develop and implement internal data protection policies and practices to comply with the PDPA. | [
"Protection",
"Accountability",
"Retention Limitation",
"Financial Penalty",
"Directions",
"Accommodation and F&B",
"Database"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Stylez-Pte-Ltd---04082021.pdf | Protection, Accountability, Retention Limitation | Breach of the Protection, Accountability and Retention Limitation Obligations by Stylez | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-accountability-and-retention-limitation-obligations-by-stylez | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 8 Case No. DP-2001-B5645 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Stylez Pte Ltd … Organisation DECISION Stylez Pte. Ltd. [2021] SGPDPC 8 Lew Chuen Hong, Commissioner — Case No. DP-2001-B5645 4 August 2021 Introduction 1 On 25 December 2019, a local newspaper reported that data from a quotation and service comparison portal, iCompare.sg (“the Portal”), had been uploaded onto the Dark Web (the “Incident”)1 . The Personal Data Protection Commission (“the Commission”) commenced investigations into the Incident thereafter. Facts of the Case 2 The Portal was created and operated by Stylez Pte Ltd (“Organisation”) at the material time. In July 2016, the Organisation created a new database containing data from the Portal for the purposes of testing a new function for the Portal in a separate test environment (the “Testing Database”). The Testing Database was a text file comprising records of the Portal’s renovation and interior design clients from 2009 to 2016 and was hosted on a cloud server leased from a cloud storage service provider (“the Server”). 3 Investigations revealed that the data exposed in the Incident was accessed and exfiltrated from the Testing Database some time before December 2019. A total of 9,983 individuals’ personal data, comprising their name, email address, and phone number were exposed in the Incident. 4 The Portal’s production and backup databases were hosted on servers leased from a different cloud service provider and were unaffected in the Incident. 1 https://www.straitstimes.com/singapore/local-renovation-database-exposed-on-dark-web 2 Remedial actions 5 Following the Incident, the Organisation took the following remedial actions: a. The Testing Database and the account from which it was hosted were deleted; b. A malware scan was run on the Server, and all unnecessary files were removed; c. The operating system of the Server was updated and the root passwor… | Financial Penalty, Directions | 573fcfa5db4c96ff1bb6711b02e1ab2d1d9cd20a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;