New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 17 April 2023

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings yesterday (17 April 2023).

In total, there were 2 enforcement decisions (Tai Shin Fatt case and OrangeTee case) and 1 voluntary undertaking (Tat Hong Heavyequipment case) published.

In this client update, we summarise the decisions and undertakings and present our key takeaways.

Key takeaways:

There are several key takeaways from these recent decisions and undertaking:

  1. The Tai Shin Fatt case is the first published enforcement decision on the PDPA’s Section 48B Prohibition involving a ‘dictionary attack’ (see the table below for the definition of a ‘dictionary attack’). This prohibition was introduced as part of the 2020 amendments to the PDPA and came into effect on 1 February 2021.
  2. In the Tai Shin Fatt case, the Singapore Civil Defence Force (“SCDF”) emergency line had received an influx of marketing calls because of the actions of the individual in question. In issuing its decision, the PDPC noted the importance of keeping the SCDF emergency line open and unobstructed. Nevertheless, it’s interesting to note the PDPC’s statement that the making of automated marketing calls to the SCDF was not itself relevant to the individual’s breach of the Section 48B Prohibition – the issue was with the method used to generate the telephone numbers in question, and the individual’s role in authorising the marketing calls (see the table below for the application of the Section 48B Prohibition to the facts). Hence, in sending unsolicited commercial messages (which if done correctly, would constitute legitimate direct marketing), one must take extra precaution to avoid the indiscriminate manner by which recipient telephone numbers may be generated and targeted by automated means.
  3. In the OrangeTee case, the PDPC held that it did not consider the names and property transaction amounts as highly sensitive in nature as this information is, to a certain extent, already in the public domain. For instance, a member of the public can look up such information through a land titles search on the Singapore Land Authority website (for names), or a search on the Urban Redevelopment Authority website for caveats lodged (for property transaction amounts). Hence this information is ‘publicly available’, as defined in section 2(1) of the PDPA.
  4. Parts of the remediation plan in the Tat hong Heavyequipment case were redacted for confidentiality. Where a decision contains personal data or information that is treated as confidential under the PDPA, the PDPC may redact such data and information from the published decision. A person, when providing any information to the PDPC, may identify information that the person claims to be confidential information; such a claim must be supported by a written statement giving reasons why the information is confidential.
Name of Decision / UndertakingSummary of IncidentType of Potential Breach of the PDPA Complaint / Self-reportedNumber of affected individuals; Types of personal data affectedOutcome
Tai Shin Fatt (the “Individual”) Breach of the PDPA’s prohibition on use of dictionary attacks (“Section 48B Prohibition”)A warning was issued to the Individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, resulting in the breach of section 48B of the PDPA.  Breach of obligation under Section 48B Prohibition    Section 48B Prohibition For the Individual to have breached Section 48B of the PDPA, he must have:Applying Section 48B Prohibition to Incident The Individual was held to have breached Section 48B Prohibition as:(a) sent or authorised the sending of;(a) He authorised the Subject Calls to the Subject Numbers.(b) a message;(b) The Subject Calls were regarded as “messages” in sound form; they were automated calls based on a customised script provided by an engaged call automation vendor.   (c) with a Singapore link;(c) The Subject Calls had a Singapore link as they were made in Singapore.(d) to telephone numbers generated or obtained through use of: (i) a dictionary attack; or (ii) address harvesting software. A “dictionary attack” means the method by which a recipient’s telephone number is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations.  (d) The Subject Numbers (which were unique telephone numbers) were created using automated means via Microsoft Excel by partially using common telephone numbers and partially using randomised digits. This therefore constituted a “dictionary attack”. Complaint by a third party   The number of affected individuals is unknown. 18,809 telephone numbers (“Subject Calls”) were generated because of the dictionary attack.  22,268 automated marketing calls (“Subject Numbers”) were made in Singapore.    Warning issued to the Individual  
OrangeTee & Tie Pte LtdPersonal Data breachOrangeTee was the subject of an unauthorised access to its IT network. An organisation identified as “ALTDOS” claimed to have carried out the unauthorised access.     Protection Obligation The PDPC held that OrangeTee had not put in place reasonable security arrangements to protect users’ personal data in its possession or under its control. This was because (i) there was a lack of sufficiently robust processes in the form of a security assessment of the risk from using and storing ‘live’ personal data in a testing environment; and (ii) OrangeTee had not conducted reasonable periodic security reviews for its servers. Self-reported256,583 individuals Personal data affected included:employees’ names, NRIC numbers and bank account numbersCustomers’ names, NRIC numbers and property transaction amountsFine of SGD37,000     
Tat Hong Heavyequipment (Pte.) Ltd.Personal Data Breach  Tat Hong Heavyequipment suffered a ransomware attack that affected 43 virtual machines, 4 physical servers, 3 employees’ PC and the network attached storage. The threat actor had likely gained access to the organisation’s network by exploiting an open Microsoft Remote Open Desktop protocol to a User Acceptance Test (UAT) Server.  Protection Obligation The PDPC noted that there was no evidence of personal data exfiltration and all personal data had been fully restored.Tat Hong Heavyequipment took immediate remedial actions to address vulnerabilities and to prevent a recurrence of a similar incident, including:Hardening of perimeter firewalls and finetuning firewall configurations;Implementing multi-factor authentication for privileges and high-risk connections; andConducting phishing simulation exercises to train employees.A voluntary undertaking was submitted by Tat Hong Heavyequipment to the PDPC. Self-reported3,377 individuals Personal data affected:NamesDates of birthsNRIC numbersAddressesBank account numbers (for crediting of salaries)Fingerprints (for door access)Voluntary Undertaking; no admission of breach of the PDPA