pdpc_decisions_version_detail (view)
2 rows where "timestamp" is on date 2023-09-15
This data as json, CSV (advanced)
Suggested facets: _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 1 | 1 | 1 | 952 | A financial penalty of $9,000 was imposed on Century Evergreen for failing to put in place reasonable security arrangements to protect the personal data of jobseekers in its possession or under its control. | [
"Protection",
"Financial Penalty",
"Employment",
"URL manipulation"
] |
2023-09-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Century_Evergreen_260723.pdf | Protection | Breach of the Protection Obligation by Century Evergreen | https://www.pdpc.gov.sg/all-commissions-decisions/2023/09/breach-of-the-protection-obligation-by-century-evergreen | 2023-09-15 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 5 Case No. DP-2212-C0526 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Century Evergreen Private Limited SUMMARY OF THE DECISION 1. On 11 December 2022, the Personal Data Protection Commission (the “Commission”) received a complaint against Century Evergreen Private Limited (the “Organisation”) that images of identification documents (which includes the National Registration Identity Card) submitted by jobseekers to the Organisation were publicly accessible on the Organisation’s website (“Incident”). The Organisation is a manpower contracting services company and required jobseekers to submit their identification documents to verify the identity of and suitability of the jobseeker in question. 2. Following the complaint received, the Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”). The Organisation requested that the investigation be handled under the Commission’s Expedited Decision Procedure (“EDP”). This means that Page 1 of 5 the Organisation voluntarily provided and admitted to the facts set out in this decision. The Organisation also admitted that it failed to implement reasonable security arrangements to protect the personal data in its possession and control, and was in breach of section 24(a) of the PDPA. 3. The Organisation admitted that the Insecure Direct Object References (“IDOR”) vulnerability on its website, which allowed the complainant to manipulate the URL had existed from the time the website was launched on 9 November 2015. As a result of this vulnerability, 96,889 images of identification documents belonging to 23,940 individuals were downloaded from the Organisation’s website from 10 to 12 December 2022. 4. The Organisation admitted that it was in breach of section 24(a) of the PDPA as it failed to include any security requirements to protect personal data in its contract with the vendor who first de… | Financial Penalty | 3a409dde7f16bfa6ec2d01d5c2d7e80c9ec98146 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 2 | 2 | 1 | 952 | A financial penalty of $3,000 was imposed on Autobahn Rent A Car for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control. Directions were also issued to strengthen access control measures to administrator accounts and to conduct reasonable security review of technical and administrative arrangements for the protection of personal data. | [
"Protection",
"Financial Penalty",
"Directions",
"Others"
] |
2023-09-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Autobahn-Rent-A-Car-Pte-Ltd_090623.pdf | Protection | Breach of the Protection Obligation by Autobahn Rent A Car | https://www.pdpc.gov.sg/all-commissions-decisions/2023/09/breach-of-the-protection-obligation-by-autobahn-rent-a-car | 2023-09-15 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 4 Case No. DP-2210-C0345 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Autobahn Rent A Car Pte. Ltd. SUMMARY OF THE DECISION 1 On 21 October 2022, Autobahn Rent A Car Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach (the “Incident”). 2 The Organisation operates a car-sharing service, Shariot, in Singapore. On 24 September 2022, the Organisation received customer feedback that a photograph on its mobile application had been replaced with a pornographic photograph. The Organisation discovered that the pornographic photograph had been uploaded through an unrevoked administrator account belonging to an ex-employee, who had Page 1 of 6 left the Organisation in May 2022. The ex-employee received an email from an unknown sender on 10 September 2022 stating that his personal laptop had been hacked and demanding Bitcoins as ransom payment. The threat actor was able to log into the Shariot’s mobile application administrator portal through the administrator account belonging to the ex-employee, and used the export CSV function to download a copy of the Shariot’s users personal data. 3 Subsequently, on 21 October 2022, a cybersecurity solutions provider alerted the Organisation of a cybercrime forum post offering the sale of a Shariot database containing personal data. The Commission commenced investigations to determine whether the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”) by the Organisation. 4 The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It admitted to a breach of the Protection Obligation under Section 24 of the PDPA. 5 The Organisation’s internal investigations discovered that compromise of the… | Financial Penalty, Directions | 458ca2b78344d38cc2dec8a4e89a493c8a7475a2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;