The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 16 August 2023.
In total, there were 2 enforcement decisions (E-commerce Enablers case and Wee Jing Kai Leon case) and 1 voluntary undertaking (OG case) published.
In this client update, we summarise the decisions and undertakings and present our key takeaways.
Key takeaways:
-
In the E-commerce Enablers case, a fine of SGD74,400 was issued by the PDPC to E-commerce Enablers Pte Ltd (also known by its business name as “ShopBack”) for breach of the Protection Obligation due to an incident involving unauthorised access by a hacker to its customer data servers. This is currently the largest fine in 2023, and one of the largest fines issued by the PDPC to an organisation in recent years.
-
ShopBack was determined to have breached the Protection Obligation in 2 respects: (i) a lack of sufficiently robust processes for AWS key management; and (ii) failure to conduct periodic security review. For (i), the PDPC emphasised that organisations should not place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data (which was held to be the case here). There must be some processes to ensure that the step required from the employee is taken, such as independent verification by another checker.
-
An aggravating factor that the PDPC took into account when issuing the fine was the fact that ShopBack took 15 days to respond to the compromise of the AWS key (which was exploited by the hacker in this incident). The PDPC appeared to consider the roughly 2 weeks period as evidence of a lack of sufficiently robust processes within ShopBack to monitor its incident management response to ensure reasonable remediation speed.
-
-
Additionally, it’s noted that the PDPC expressly mentioned that representations made by ShopBack were (where accepted by the PDPC) incorporated into the decision. As part of the enforcement decision issuance process, the PDPC would issue a written ‘preliminary’ decision to the organisation stating its reasons to the decision and the fines/directions (if any) to be imposed on the organisation. The organisation would then have at least 14 days to make written representations in response to the preliminary decision. Written representations could include the organisation wishing to amend portions of the decision that are not reflected as factually accurate. The PDPC has full discretion to accept (or reject) any such proposed amendments and the final decision published would include any accepted amendments.
-
In the Wee Jing Kai Leon case, the individual represented to the PDPC that he was under the impression that since he had obtained the telephone numbers prior to the enactment of the PDPA, he could use them for marketing purposes. The PDPC held that it recognises that a subscriber of a Singapore telephone number is deemed to have given his consent to a person to send a specified message to that telephone number if the subscriber consents to the sending of the specified message before 2 January 2014 (i.e. before the Do-Not-Call (“DNC”) Provisions came into effect), and that consent has not been withdrawn. Even if the subscriber subsequently adds his telephone number to the DNC registry, this would not amount to withdrawal of consent. However, this doesn’t relieve the individual of his obligations under the DNC Provisions to obtain clear and unambiguous consent from the subscribers on his marketing list in written or other forms before or after 2 January 2014.
-
In the OG case, the PDPC accepted OG’s undertaking after considering the security arrangements OG had in place to protect the personal data of individuals in its possession or control and its prompt response which mitigated the effect of the ransomware attack. In particular, the PDPC noted that the impact of the ransomware attack was limited as OG’s data intermediary took a very short time (8 minutes) to shut down the affected servers and blocked access to OG’s databases.
Name of Decision / Undertaking | Summary of Incident | Type of Potential Breach of the PDPA | Complaint / Self-reported | Number of affected individuals; Types of personal data affected | Outcome |
---|---|---|---|---|---|
E-Commerce Enablers Pte. Ltd. |
Personal Data breach As a result of an inadvertent committal of a full administrative privilege AWS access key (“AWS Key”) to GitHub, a malicious threat actor was able to access ShopBack’s AWS environment using the AWS Key and exfiltrated personal data of ShopBack’s customers. |
Protection Obligation The PDPC held that ShopBack failed to:
|
Self-reported and Complaint |
At least 1.4 million individuals Personal data affected included:
|
Fine of SGD74,400 |
Wee Jing Kai Leon |
Breach of the DNC Provisions The PDPC received complaints that the individual had sent unsolicited telemarketing messages to telephone numbers registered on the No Text Message Register of the DNC Registry. |
Duty to check the DNC Registry The PDPC held that the individual failed to:
|
Complaint | Telemarking messages sent to about 1,000 telephone numbers registered on the DNC Registry | Warning |
OG Private Limited |
Personal Data Breach OG received an email from a hacker group demanding a ransom in return for not publishing data the group had stolen from OG. Investigation revealed that a threat actor had conducted a Bruteforce SQL injection attack and was able to download 3 databases (2 of which contained ‘dummy’ data, with the remaining database containing individuals’ personal data). |
Protection Obligation The PDPC noted that the impact of the ransomware attack on OG was limited as its data intermediary Poket Pte Ltd (“Poket”) responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to OG’s databases. Overall, the PDPC accepted OG’s undertaking after considering the security arrangements OG had in place to protect the personal data of individuals in its possession or control and the prompt response taken by OG which mitigated the effect of the ransomware attack. |
Self-reported |
276,677 individuals Personal data potentially affected:
|
Voluntary Undertaking; no admission of breach of the PDPA |