pdpc_undertakings_version_detail (view)
2 rows where "timestamp" is on date 2023-06-22
This data as json, CSV (advanced)
Suggested facets: _commit_at (date), timestamp (date), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-09-30T05:17:27+00:00 | be5389b881a3b6b218fc727fb3f2bea2c23e9082 | 28 | 28 | 1 | 948 | 28 | Simmons (Southeast Asia) Private Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Simmons-Southeast-Asia-Private-Limited | 2023-06-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited ("SPL") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware. The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work. Remedial Actions After the incident, as part of a remediation plan, SPL put in place measures including: (a) Reformatted and restored the test server; (b) Closed the RDP port; (c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access; (d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server; (e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form; (f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised; (g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy; (… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Simmons-Southeast-Asia-Limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Simmons (Southeast Asia) Private Limited UEN: 199303272D Registered Address: 300 Beach Road, #25-03, The Concourse, Singapore 199555 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation Page 1 of 16 appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | 9864e1f1b4c4b0f2d826df52f80381dbe77d37a1 | [
"organisation",
"description",
"id",
"pdf-content",
"url",
"pdf-url",
"timestamp"
] |
| 2023-09-30T05:17:27+00:00 | be5389b881a3b6b218fc727fb3f2bea2c23e9082 | 29 | 29 | 1 | 948 | 29 | Metropolis Security Systems Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Metropolis-Security-Systems-Pte-Ltd | 2023-06-22 | Background In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port. The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder; (b) Review the classification of information in its asset register at least once a year; (c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012; (d) Conduct adequate internal tests and penetration tests; and (e) Embark on ISO27001 implementation with an external consultant. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Metropolis-Security-Systems-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Metropolis Security Systems Pte Ltd UEN: 201008279K Registered Address: 20 Sin Ming Lane #08-63 Midview City, Singapore (573968) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 9 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | d7c174c2117040dd0b42a602d63206df55b6e2ca | [
"organisation",
"description",
"id",
"pdf-content",
"url",
"pdf-url",
"timestamp"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_undertakings_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_undertakings_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_undertakings_changed
where item_version = pdpc_undertakings_version._id
)
) as _changed_columns
from pdpc_undertakings_version
join commits on commits.id = pdpc_undertakings_version._commit;