pdpc_decisions_version_detail (view)
6 rows where "date" is on date 2022-05-19
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 31 | 31 | 1 | 952 | Warnings were issued to Toll Logistics (Asia), Toll Global Forwarding, Toll Offshore Petroleum Services, and Toll (TZ) for breaches of the PDPA in relation to the transfer of employees’ personal data to a human resources software vendor in Ireland. | [
"Transfer Limitation",
"Warning",
"Transport and Storage"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Toll-Logistics-Asia-Limited-and-others--180322.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Toll Logistics (Asia) and others | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-transfer-limitation-obligation-by-toll-logistics-and-others | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 4 Case No. DP-2008-B6707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Toll Logistics (Asia) Limited (2) Toll Global Forwarding (Singapore) Pte. Limited (3) Toll Offshore Petroleum Services Pte. Ltd. (4) Toll (TZ) Pte. Ltd. … Organisations DECISION Toll Logistics (Asia) Limited and others [2022] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2008-B6707 14 March 2022 Introduction 1 Toll Holdings Limited (“Toll Holdings”) is an integrated logistics services provider headquartered in Australia. Toll Logistics (Asia) Limited (“Toll Logistics”), Toll Global Forwarding Singapore Pte. Ltd. (“Toll Forwarding”), Toll Offshore Petroleum Services Pte. Ltd. (“Toll Offshore"), and Toll (TZ) Pte. Ltd. (“Toll TZ”) are Singapore-registered entities (collectively, “the Organisations”) that are part of a multinational group of companies headed by Toll Holdings (“the Group”). 2 On 11 June 2020, Toll Holdings notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the Group’s IT systems, including servers in Australia and Singapore containing the personal data of current and former employees of the Organisations (“the Incident”). The Commission subsequently received complaints from 3 former employees of Toll Logistics in relation to the Incident. Investigations were commenced to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 In July 2013, Toll Holdings contracted with a vendor in Ireland (“the HR Vendor”) for the Group’s use of the HR Vendor’s human resources software platform (“the HR Platform”). To facilitate use of the common HR Platform, the respective Group entities (including the Organisations) uploaded the personal data of their employees to the HR Platform. The data uploaded to the HR Platform was hosted by the HR… | Warning | 3366d27f6930503cebbbff6dd8de747f0da55d18 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 32 | 32 | 1 | 952 | A financial penalty of $2,000 was imposed on Southaven Boutique for failing to put in place reasonable security arrangement to prevent the unauthorised access of its customers' personal data in its Point-Of-Sale system server. An application for reconsideration was filed against the Decision Re Southaven Boutique Pte Ltd. Upon review and careful consideration of the application, direction in the Decision was varied and the financial penalty imposed was reduced. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade",
"Ransomware"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Southaven-Boutique-Pte-Ltd---280222.pdf | Protection | Breach of Protection Obligation by Southaven Boutique | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-protection-obligation-by-southaven-boutique | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7854 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Southaven Boutique Pte Ltd 1 Editorial note: An application for reconsideration was filed against the decision in Re Southaven Boutique Ptd Ltd. Pursuant to this application, the Deputy Commissioner has decided to reduce the financial penalty imposed on the Organisation from $5,000 to $2,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. SUMMARY OF THE DECISION 1. On 5 February 2021, Southaven Boutique Pte Ltd (the “Organisation”), a brickand-mortar retailer of clothes and accessories, informed the Personal Data Protection Commission (the “Commission”) of a ransomware attack that occurred on or about 4 February 2021 (the “Incident”). A threat actor had gained access to the Organisation’s Point-Of-Sale (the “POS”) system server and encrypted the personal data of 4,709 customers. The personal data affected include names, addresses, email addresses, contact numbers and date of birth. 2. Investigations revealed that the Organisation did not implement adequate administrative and technical security arrangements. First, the Organisation failed to conduct or schedule any software updates, maintenance and/or security review before the Incident. Past decisions by the Commission had stressed the need for such security arrangements. The Organisation’s operating system and anti-virus software, for example, were outdated and updated only after the Incident. 3. Second, the Organisation had failed to set out any data protection requirements or responsibilities with the POS vendor whom the Organisation had engaged to supply and install the POS, and relied on for system service issue. This meant that the Organisation did not in fact engage the POS vendor to provide the necessary maintenance support. As the Organisation continued to seek the POS vendor’s assistance for any system… | Financial Penalty | ba5645fa0a7e61666bb1148c1c65700478353304 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 33 | 33 | 1 | 952 | A financial penalty of $12,500 was imposed on PINC for failing to put in place reasonable security arrangements to protect the personal data in its possession. Directions were also issued to PINC to develop and implement internal data protection policies and practices to comply with the PDPA and to ensure no copies of database were stored on employees' personal computers. | [
"Accountability",
"Protection",
"Financial Penalty",
"Directions",
"Wholesale and Retail Trade",
"No Policy"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---PINC-Interactive-Pte-Ltd---04022022.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by PINC Interactive | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-accountability-and-protection-obligations-by-pinc-interactive | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 1 Case No. DP-2002-B5827 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PINC Interactive Pte. Ltd. … Organisation DECISION Page 1 of 9 PINC Interactive Pte. Ltd. [2022] SGPDPC 1 Lew Chuen Hong, Commissioner — Case No. DP-2002-B5827 4 February 2022 Introduction 1 On 2 February 2020, the Personal Data Protection Commission (“the Commission”) received feedback about a Twitter post dated 31 January 2020 which revealed that the personal data of users of www.pincstyle.com had been exposed. The tweet included a snapshot of the data (“the Incident”). The Commission commenced investigations into the Incident thereafter. Facts of the Case 2 The website www.pincstyle.com was created and managed by PINC Interactive Pte. Ltd. (“the Organisation”) at the material time. Investigations revealed that sometime in October 2019, a database comprising 252,813 records was accessed and exfiltrated from the Organisation’s staging servers (the “Staging Database”). The Staging Database is a synthetic database containing personal data of 3,916 actual users, while the remaining 248,897 records were fake or “dummy” data modelled after the real data. The synthetic database was used to facilitate development and testing on the staging servers. The personal data from the 3,916 actual users that were exposed in the Incident included the name, username, email address, contact number (for some users) and a password hash. For completeness, the 3,916 user records in the Staging Database is equivalent to 1.6% of the Organisation’s total database of 252,813 user records. Page 2 of 9 3 Investigations revealed two likely causes of the Incident. First, the developers, who are the Organisation’s employees, had retained a copy of the Staging Database on their own personal devices, and the database was exfiltrated when the developers’ computers were compromised. The Organisation stated that while they had instructed the developers to use … | Financial Penalty, Directions | d2cda7ac80cc4638223955ef382304ee06a36b98 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 34 | 34 | 1 | 952 | A financial penalty of $24,000 was imposed on Lovebonito for failing to put in place reasonable security to protect personal data in its possession. The incident resulted in the personal data being accessed and exfiltrated. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade",
"Password policy"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Lovebonito-Singapore-Pte-Ltd--21022022.pdf | Protection | Breach of the Protection Obligation by Lovebonito | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-protection-obligation-by-lovebonito | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 3 Case No. DP-1912-B5484 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Lovebonito Singapore Pte. Ltd. … Organisation DECISION Lovebonito Singapore Pte. Ltd. [2022] SGPDPC 3 Lew Chuen Hong, Commissioner — Case No. DP-1912-B5484 21 February 2022 Introduction 1 On 12 December 2019, Lovebonito Singapore Pte. Ltd (the “Organisation”) informed the Personal Data Protection Commission (“Commission”) that one of its IT systems had been hacked, and that the personal data of 5,561 of its customers had been accessed and exfiltrated by a malicious actor (the “Incident”). The Commission subsequently received two separate complaints from individuals affected in the Incident. Facts of the Case 2 The Organisation operates an e-commerce platform (the “Website”) retailing clothing and accessories. At the material time, the Organisation employed, amongst others, two third-party solutions to manage the Website. First, the Organisation employed Magento Cloud, a cloud-based service, to host and run the Website. Magento Cloud includes the Magento Content Management System (“Magento CMS”), an open-source e-commerce management software, which the Organisation used to change and update the Website. Second, the Organisation used a payment platform offered by Adyen N.V. (“Adyen”) to facilitate credit card payments on the Website. When a customer indicated that they intended to pay for their purchases via credit card, Adyen’s platform would load directly from their servers as a frame within the “checkout” page of the Website (the “Checkout Page”). 3 Customers would then input the below details into Adyen’s frame, and Adyen would directly collect these details and process the credit card payment: (a) Full credit card number; (b) Expiry date of the credit card; 2 (c) The CVV number of the credit card; and (d) Customer’s billing address (collectively, the “Credit Card Data”) 4 Once Adyen has processed the credit card p… | Financial Penalty | 89b55bd8d0fb6740006b25908bf6eba6b220b5c5 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 35 | 35 | 1 | 952 | Royal Caribbean Cruises (Asia) was found not in breach of the PDPA in relation to a coding error in a business software which resulted in emails containing personal data being sent to unintended recipients. | [
"Protection",
"Not in Breach",
"Arts, Entertainment and Recreation",
"Software",
"Unintended recipient"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Royal-Caribbean-Cruises-Asia-Pte-Ltd--130819.pdf | Protection | No Breach of the Protection Obligation by Royal Caribbean Cruises (Asia) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/no-breach-of-the-protection-obligation-by-royal-caribbean-cruises | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1804-B1931 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Royal Caribbean Cruises (Asia) Pte. Ltd. SUMMARY OF THE DECISION 1. On 5 April 2018, the Personal Data Protection Commission (“Commission”) commenced investigation against Royal Caribbean Cruises (Asia) Pte Ltd (the “Organisation”) after receiving a complaint from a member of the public (the “Complaint”). The complainant stated that she had received the personal data of unrelated individuals in an email payment reminder sent by the Organisation. 2. Investigations revealed that, from 8 February 2018 to 4 April 2018, the personal data of 526 individuals were inadvertently disclosed to other unrelated members of the public via unintended email payment reminders (the “Data Breach Incident”). The personal data disclosed included booking IDs, ship codes, sailing dates, names, net amounts due, amounts paid, balance due and the balance due date (the “Affected Personal Data”). 3. The Organisation is part of the Royal Caribbean Group, and is the wholly owned subsidiary and data intermediary of the USA-based Royal Caribbean Cruises Ltd 1 (Liberia) (“RCL”). It is responsible for the following business functions on behalf of RCL: (a) Conducting sales and marketing activities on behalf of the cruise ship operators of the Royal Caribbean Group, including RCL; (b) Taking cruise bookings from Singapore-based customers of RCL; (c) Administering a loyalty membership programme on behalf of RCL; and (d) Collecting payments from Singapore-based customers of RCL who made their bookings via walk-in, roadshows and online bookings at the Royal Caribbean Group’s Singapore website. 4. RCL’s branch office in the Philippines (“RCL Philippines”) provides IT support to entities within the Royal Caribbean Group, and does not have a separate legal identity from RCL. On 1 January 2017, the Organisation entered into an operative intercompany agreement with RCL Philippines for the provis… | Not in Breach | 0d00bbb6002dda7ff71a02aa63df23ee41375297 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 36 | 36 | 1 | 952 | Singtel was found not in breach of the PDPA in relation to an incident which occurred on or about 20 January 2021 whereby threat actor(s) exfiltrated personal data by exploiting zero-day vulnerabilities of a third party file transfer appliance. | [
"Protection",
"Not in Breach",
"Information and Communications"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunication-Limited---101221.pdf | Protection | No Breach of the Protection Obligation by Singapore Telecommunications (Singtel) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/no-breach-of-the-protection-obligation-by-singapore-telecommunications | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7878 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunication Limited SUMMARY OF THE DECISION 1. On 10 February 2021, Singapore Telecommunication Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach that had occurred through the exploitation of zero-day vulnerabilities in a File Transfer Appliance (“FTA”) provided by a third party system (the “Incident”). 2. As a result of the Incident, 9,921 files containing personal data were exfiltrated. The personal data of 163,370 individuals which included their name, NRIC number, FIN, UIN, nationality, date of birth, address, email address, mobile number, photograph, staff, company pass or ID, bank account number, credit Page 1 of 3 card information (with expiry date), billing information, and vehicle number were affected. 3. The Organisation engaged an external cybersecurity company, FireEye Mandiant, to investigate the Incident. Its investigations found that the threat actors had exploited two (2) zero-day vulnerabilities of the FTA to gain unauthorised access to the FTA’s MySQL database and subsequent file downloading. 4. Investigations revealed that the Organisation had a license to use the FTA with the FTA developer, Accellion Pte Ltd (“Accellion”). Accellion was the only party that had access to the proprietary source code to the FTA system. Accordingly, the discovery and rectification of the zero-day vulnerabilities within the FTA system fell within the sole responsibility and control of the developer. We are of the view that the Organisation could not have detected or prevented the incident as it had no control or visibility of the zero-day vulnerability of the FTA. 5. The Organisation had provided and made reasonable security arrangements to protect personal data in its possession and/or control in relation to the Incident. The Organisation maintained th… | Not in Breach | 572fbbe0157ad79a81e4ed46fce23091a479c4f6 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;