The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 11 May 2023.
In total, there were 3 enforcement decisions (Kingsforce Management Services case, Fortytwo case and The Law Society of Singapore case) and 1 voluntary undertaking (SpeeDoc case) published.
In this client update, we summarise the decisions and undertakings and present our key takeaways.1
Key takeaways:
There are several key takeaways from these recent decisions and undertaking:
- In the Kingsforce Management Services case, the organisation was found in breach of section 24 (“Protection Obligation”) of the Personal Data Protection Act (“PDPA”) as more than 50,000 jobseeker datasets were leaked due to outdated website coding technology that contained critical vulnerabilities. Two protection obligations were breached by the organisation. First, it failed to provide clarity and specifications to its vendors on how to protect its database and personal data. Second, it failed to conduct reasonable periodic security reviews, including vulnerability scans since the launch of its website. The Kingsforce Management Services case is significant as no financial penalty was awarded by the PDPC despite a substantial leak of jobseeker datasets. Instead, a number of directives focused on rectification and prevention of future breaches were issued to the organisation. The case highlights the importance of key mitigating factors considered by the PDPC, such as the organisation’s efforts towards website security, cooperation during investigation, voluntary admission of breach of the Protection Obligation and prompt remediation by the organisation.
- In the Fortytwo case, malicious code injections on its website led to the capture of credit card details belonging to close to 100 individuals, and the email addresses and passwords belonging to more than 6,000 individuals. The organisation was found in breach of the Protection Obligation and was fined S$8,000 along with other rectification directives from the PDPC. The Fortytwo case highlights the importance of applying software patches promptly to fix security vulnerabilities. The organisation had considered and evaluated four patches but decided to hold back on installing them, thereby increasing the risks of malicious code injections. The PDPC also provided much needed clarity on whether fictitious names or pseudonymous personal particulars form part of the personal data under the possession or control of an organisation. The PDPA defines “personal data” to be data, whether true or not. Therefore, an organisation’s obligations under the PDPA to protect and ensure that such data are used in accordance with the purpose of collection applies to the entire customer database regardless of the accuracy (or inaccuracy) of the personal data in its possession or control.
- In the Law Society of Singapore (“LawSoc”) case, a threat actor gained access to the IT administrator’s account and executed a ransomware attack on the servers. This led to more than 16,000 members’ personal data being affected in the incident. LawSoc was found to have negligently breached the Protection Obligation by (i) using an easily guessable password for the compromised admin account, (ii) failing to change the password for the compromised admin account at reasonable intervals, and (iii) failing to conduct any periodic security reviews in the three years leading up to the Incident. In arriving at its decision, the PDPC referred to its published Guide to Data Protection Practices for ICT systems and emphasised that the adoption of 2FA or MFA should become the norm for accounts with administrative privileges, for systems managing sensitive data or large volumes of personal data.
- In the SpeeDoc case, the organisation’s AWS3 bucket was incorrectly configured which enabled public access to the personal data of more than 12,000 individuals. To prevent a recurrence of a similar incident, SpeeDoc took immediate remedial action to address the cause of the personal data breach. The SpeeDoc case is significant as the remedial actions were extensive and took almost 3 years to complete. The PDPC was first notified of the incident about 3 years ago (27 October 2020) and the target completion date of various remedial actions were of a broad range. These remedial actions consisted of various security trainings for internal staff, formation of a security team, development of various internal policies and procedures, third-party audit and ISO 27001 Certification. It highlights that the PDPC is prepared to implement long term remedial actions for an undertaking, given a sufficiently complex case with substantial leak of personal data.
Name of Decision / Undertaking | Summary of Incident | Type of Potential Breach of the PDPA | Complaint / Self-reported | Number of affected individuals; Types of personal data affected | Outcome |
Kingsforce Management Services | Personal Data breachJobseeker datasets were leaked due to outdated website coding technology that contained critical vulnerabilities. As the website was not completed at launch owing to contractual disputes, Kingsforce Management Services subsequently engaged IT maintenance vendors. However, such maintenance was ad-hoc and limited. | Protection Obligation The PDPC held that Kingsforce Management Services failed to:Provide sufficient clarity and specifications to its vendors on how to protect its database and personal data;Conduct reasonable periodic security reviews, including vulnerability scans, since the launch of its website. | Self-reported | 54,900 individualsPersonal data affected included:NamesAddressesEmail addressTelephone numbersDate of birthJob qualificationsLast and expected salaryHighest qualification and other data related to job searches | No financial penaltyVarious directives issued by the PDPC with deadlines for rectification and prevention of future occurrences. These include regular patching, updates and upgrades. |
Fortytwo Pte. Ltd. | Personal Data breachFortytwo was the subject of an unauthorised access to its IT network. Malicious code injections led to the capture of credit card details, email addresses and passwords of individuals when they logged in to its website. | Protection Obligation The PDPC held that:Fortytwo’s failure to patch had increased the risks of a malicious code injection capable of capturing users’ personal data. Four patches were released by Adobe to address several high severity risk issues and critical bugs. However, upon evaluation Fortytwo decided to hold back on installing them;Notwithstanding the disruptions caused by the pandemic, Fortytwo had been given ample notice of the impending end of support but took no action to perform the necessary upgrade from November 2015 to early 2020. | Self-reported | For 6,241 individuals, personal data affected included:Email AddressesPasswordsFor 98 individuals, personal data affected included:NamesCredit card numbersExpiry datesCVV/CVN numbers | Fine of SGD8,000Further rectification directives issued by the PDPC such as upgrading of Fortytwo’s website, vulnerability assessment and penetration testing. |
The Law Society of Singapore | Personal Data BreachLawSoc was the subject of a ransomware attack.The threat actor gained access to the account of the Organisation’s IT administrator and created a new account with full administrative privileges to execute a ransomware attack on the servers, encrypting their contents. | Protection Obligation The PDPC held that LawSoc is found to have negligently breached the Protection Obligation by:Using an easily guessable password for the compromised admin account;Failing to change the password for the compromised admin account at reasonable intervals;Failing to conduct any periodic security reviews in the three years leading up to the Incident. | Self-reported | 16,009 individuals Personal data affected: NamesResidential addressesDate of birth NRIC numbers | No financial penaltyVarious directives issued by the PDPC for a security audit and rectification of security gaps identified in the security audit report |
SpeeDoc Pte. Ltd. | Personal Data BreachSpeeDoc’s AWS3 bucket was incorrectly configured which enabled public access to the personal data stored within. Consequently, the personal data of 12,652 individuals was exposed to public access. | Protection Obligation The PDPC carried out investigations into certain acts and practices of SpeeDoc and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the provisions in the PDPA. SpeeDoc was cooperative with the investigation process and took immediate remedial actions to prevent a recurrence of a similar incident, including:Formation of a security teamSecurity training for Engineering teamISO 27001 CertificationIT Operating Procedure PolicySystems Acquisition and Development Security PolicyIncident Management ProceduresThird-party Security AuditSecurity Awareness Training for staffTraining for InfoSec staffA voluntary undertaking was submitted by SpeeDoc to the PDPC. | Self-reported | 12,652 individuals Personal data affected: NamesPhone numbersEmail addressesNRIC numbersLab test resultsProfile picturesPhotos of symptoms and medicines | Voluntary Undertaking; no admission of breach of the PDPA |