pdpc_undertakings_version_detail (view)
2 rows where "timestamp" is on date 2022-07-14
This data as json, CSV (advanced)
Suggested facets: _commit_at (date), timestamp (date), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-09-30T05:17:27+00:00 | be5389b881a3b6b218fc727fb3f2bea2c23e9082 | 18 | 18 | 1 | 948 | 18 | HSL Constructor Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20HSL%20Constructor%20Pte%20Ltd | 2022-07-14 | Background The Personal Data Protection Commission (the “Commission”) was notified by HSL Constructor Pte Ltd (“HSL”) on 7 October 2021 that it was subject to ransomware attack on 30 September 2021. As a result of the attack, 3 of its servers and a Network Attached Storage (“NAS”) were encrypted by ransomware. Personal data of 758 current and former HSL employees were encrypted. The personal data included their name, NRIC number, residential address, email address, family information, salary information and medical information. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to HSL’s network by exploiting the vulnerabilities present in the outdated software used on 2 of its servers, or using compromised credentials. Remedial Actions After the incident, as part of a remediation plan, HSL: (a) Implemented multifactor authentication for all administrator access, for users with administrative privileges, and for accounts with access to sensitive data/ systems; (b) Supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (c) Decommissioned all servers running Windows Server 2008 R2 and below; (d) Installed endpoint protection on all servers; (e) Patched all servers and firewall; (f) Reset all admin account passwords; and (g) Closed unused ports on its firewall. Undertaking Having considered the circumstances of the case, including the remedial steps taken by HSL to improve its data protection practices, the Commission accepted an undertaking from HSL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2022 (the “Undertaking”). HSL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that HSL has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---HSL-Constructor-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: HSL Constructor Pte Ltd UEN: 199405996K Registered Address: 42D Penjuru Road, HSL Waterfront @ Penjuru, Singapore 609162 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA and ; (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to … | e25e24fa4ddf72cadda7e560f55c76fcda0bf9f7 | [
"organisation",
"description",
"id",
"pdf-content",
"url",
"pdf-url",
"timestamp"
] |
| 2023-09-30T05:17:27+00:00 | be5389b881a3b6b218fc727fb3f2bea2c23e9082 | 19 | 19 | 1 | 948 | 19 | Asia Petworld Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Asia%20Petworld%20Pte%20Ltd | 2022-07-14 | Background The Personal Data Protection Commission (the “Commission”) was notified by Asia Petworld Pte. Ltd. (“APPL”) on 8 September 2021 that its systems had been subjected to unauthorized access. The threat actor(s) had deleted APPL’s servers, including its backup servers and backup data, made mass PayPal payments and Airwallex bank transfers from the personal accounts belonging to APPL’s senior management, and potentially accessed employee payroll sheets in an email account belonging to APPL’s senior management. Personal data of about 21,000 customers was potentially disclosed. The personal data affected included their names, addresses, telephone numbers and email addresses. In addition, the personal data of 60 employees was also affected. The personal data included their names, dates of birth, NRIC number/FIN, bank account numbers and salaries credited. The Commission noted that APPL has since recovered the data via backup, as of 12 July 2021. It was established that APPL did not have adequate processes in place to protect the personal data in its possession. Remedial Actions After the incident, as part of a remediation plan, APPL: (a) reformatted each PC and desktop in its warehouse and office and installed a clean Windows 10 environment; (b) reset all Windows passwords and implemented a password length of at least 20 character long with complex requirements. Users were also reminded not to store passwords in plain text. Further, APPL also applied a password on documents containing personal data when transmitted over the internet; (c) enabled 2FA on all available applications and services; (d) implemented staff training to enhance knowledge in personal data, safety and cyber security knowledge; and (e) hardened system access including enhancing access controls, performing regular patching etc. Undertaking Having considered the circumstances of the case, including the remedial steps taken by APPL to improve its data protection practices, the Commission accepted an undertaking from APPL to imp… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Asia-Petworld-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Asia Petworld Pte. Ltd. UEN: 201409741H Registered Address: 2 Woodlands Sector 1, #03-18, Woodlands Spectrum, Singapore 738068 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may … | 5db9ed6a1f5437710c12be609dcf9f02102f6427 | [
"organisation",
"description",
"id",
"pdf-content",
"url",
"pdf-url",
"timestamp"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_undertakings_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_undertakings_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_undertakings_changed
where item_version = pdpc_undertakings_version._id
)
) as _changed_columns
from pdpc_undertakings_version
join commits on commits.id = pdpc_undertakings_version._commit;