pdpc_decisions_version_detail (view)
2 rows where title = "Breach of the Protection Obligation by Tanah Merah Country Club"
This data as json, CSV (advanced)
Suggested facets: _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 41 | 41 | 1 | 952 | A financial penalty of $4,000 was imposed on Tanah Merah Country Club for failing to put in place reasonable security to protect personal data in its possession. The incident resulted in personal data being accessed. | [
"Protection",
"Financial Penalty",
"Arts, Entertainment and Recreation",
"Email",
"Password policy"
] |
2022-02-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tanah-Merah-Country-Club---20122021.pdf | Protection | Breach of the Protection Obligation by Tanah Merah Country Club | https://www.pdpc.gov.sg/all-commissions-decisions/2022/02/breach-of-the-protection-by-tanah-merah-country-club | 2022-02-18 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7951 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tanah Merah Country Club SUMMARY OF THE DECISION 1. On 24 February 2021, Tanah Merah Country Club (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that an employee’s (the “Employee”) email account had been compromised and 600 phishing emails had been sent to various individuals on 22 February 2021 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation voluntarily and unequivocally admitted to the facts set out within this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 3. The Organisation’s investigations revealed that it was likely that the Organisation’s email accounts had been subjected to password spraying attacks. Password spraying is a type of password attack where a threat actor uses a few commonly used or default passwords against many different accounts. In contrast to traditional brute-force attacks, where the targeted account may quickly get lockedout due to account-lockout policies that only allow for a limited number of failed attempts, password spraying attacks allow a threat actor to mount an attack against many accounts with a single commonly used password, while remaining undetected, before attempting the second password. At the time of the Incident, the Employee was using the password “TMCC@1234”, which the Employee had not changed for a period of nearly 5 years, since 2016 to the time of the Incident on 22 February 2021. 4. After gaining access to the Employee’s email account, the threat actor accessed the personal data of 467 individuals, including: a. The email addresses of 155 club members and 284 members of public, which the threat actor had used to send phishing emails to. b. The name, and/or NRIC … | Financial Penalty | db3f5f6adf8ce0a020293ba554d69dc62a612298 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 85 | 85 | 1 | 952 | A financial penalty of $4,000 was imposed on Tanah Merah Country Club for failing to put in place reasonable security arrangements to protect the personal data of individuals stored on its electronic direct mail (“EDM”) system. The common password for login to the EDM system was weak and had not been changed since 2010. There were also no arrangements in place to ensure and enforce password strength, expiry and protection. An application for reconsideration was filed against the decision Re Tanah Merah Country Club. Upon review and careful consideration of the application, directions in the decision were varied. | [
"Protection",
"Financial Penalty",
"Arts, Entertainment and Recreation",
"EDM",
"Password",
"Weak password"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tanah-Merah-Country-Club---21072020.pdf | Protection | Breach of the Protection Obligation by Tanah Merah Country Club | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-tanah-merah-country-club | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4115 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tanah Merah Country Club Editorial note: An application for reconsideration was filed against the decision in Re Tanah Merah Country Club. Pursuant to this application, the Commissioner has decided to reduce the financial penalty imposed on the Organisation from $8,000 to $4,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. SUMMARY OF THE DECISION 1. On 19 June 2019, Tanah Merah Country Club (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) of unauthorised access to its electronic direct mail (“EDM”) system (the “Incident”). During the Incident, which occurred on 9 June 2019, the EDM system was used to send unauthorised spam emails. 2. The Organisation was unable to determine how unauthorised access was gained to the EDM system. During investigations, it was discovered that the common password for login to the EDM system was weak, as it comprised the initials of the Organisation and the year 2010 (which was the year that the EDM system was set up). The password was shared by at least 3 persons: 2 of the Organisation’s marketing staff and its technical support vendor. Further, it had not been changed since 2010. Investigations disclosed that there were no arrangements in place to ensure and enforce password strength, expiry and protection. 3. In the circumstances, although the means of unauthorised access to the EDM system was not determined, the evidence pointed to weak password control as the cause. The Deputy Commissioner for Personal Data Protection therefore found the Organisation in breach of section 24 of the Personal Data Protection Act 2012. 4. The Organisation is directed to pay a financial penalty of $8,000 within 30 days from the date of this direction, failing which interest at the rate specified in the … | Financial Penalty | e641872fa69f2e946b7cb68cb7e884c4c88db9c2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;