New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 16 August 2023

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 16 August 2023.

In total, there were 2 enforcement decisions (E-commerce Enablers case and Wee Jing Kai Leon case) and 1 voluntary undertaking (OG case) published.

In this client update, we summarise the decisions and undertakings and present our key takeaways.

Key takeaways:

In the E-commerce Enablers case, a fine of SGD74,400 was issued by the PDPC to E-commerce Enablers Pte Ltd (also known by its business name as “ShopBack”) for breach of the Protection Obligation due to an incident involving unauthorised access by a hacker to its customer data servers. This is currently the largest fine in 2023, and one of the largest fines issued by the PDPC to an organisation in recent years.
1. ShopBack was determined to have breached the Protection Obligation in 2 respects: (i) a lack of sufficiently robust processes for AWS key management; and (ii) failure to conduct periodic security review. For (i), the PDPC emphasised that organisations should not place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data (which was held to be the case here). There must be some processes to ensure that the step required from the employee is taken, such as independent verification by another checker.
2. An aggravating factor that the PDPC took into account when issuing the fine was the fact that ShopBack took 15 days to respond to the compromise of the AWS key (which was exploited by the hacker in this incident). The PDPC appeared to consider the roughly 2 weeks period as evidence of a lack of sufficiently robust processes within ShopBack to monitor its incident management response to ensure reasonable remediation speed.
Additionally, it’s noted that the PDPC expressly mentioned that representations made by ShopBack were (where accepted by the PDPC) incorporated into the decision. As part of the enforcement decision issuance process, the PDPC would issue a written ‘preliminary’ decision to the organisation stating its reasons to the decision and the fines/directions (if any) to be imposed on the organisation. The organisation would then have at least 14 days to make written representations in response to the preliminary decision. Written representations could include the organisation wishing to amend portions of the decision that are not reflected as factually accurate. The PDPC has full discretion to accept (or reject) any such proposed amendments and the final decision published would include any accepted amendments.
In the Wee Jing Kai Leon case, the individual represented to the PDPC that he was under the impression that since he had obtained the telephone numbers prior to the enactment of the PDPA, he could use them for marketing purposes. The PDPC held that it recognises that a subscriber of a Singapore telephone number is deemed to have given his consent to a person to send a specified message to that telephone number if the subscriber consents to the sending of the specified message before 2 January 2014 (i.e. before the Do-Not-Call (“DNC”) Provisions came into effect), and that consent has not been withdrawn. Even if the subscriber subsequently adds his telephone number to the DNC registry, this would not amount to withdrawal of consent. However, this doesn’t relieve the individual of his obligations under the DNC Provisions to obtain clear and unambiguous consent from the subscribers on his marketing list in written or other forms before or after 2 January 2014.
In the OG case, the PDPC accepted OG’s undertaking after considering the security arrangements OG had in place to protect the personal data of individuals in its possession or control and its prompt response which mitigated the effect of the ransomware attack. In particular, the PDPC noted that the impact of the ransomware attack was limited as OG’s data intermediary took a very short time (8 minutes) to shut down the affected servers and blocked access to OG’s databases.

Name of Decision / Undertaking	Summary of Incident	Type of Potential Breach of the PDPA	Complaint / Self-reported	Number of affected individuals; Types of personal data affected	Outcome
E-Commerce Enablers Pte. Ltd.	Personal Data breach As a result of an inadvertent committal of a full administrative privilege AWS access key (“AWS Key”) to GitHub, a malicious threat actor was able to access ShopBack’s AWS environment using the AWS Key and exfiltrated personal data of ShopBack’s customers.	Protection Obligation The PDPC held that ShopBack failed to: ensure that processes to manage the AWS keys that granted access to its customer storage servers were sufficiently robust; conduct periodic security reviews including implementing a more secure process to ensure that the responsible staff members were performing their AWS key rotation duties properly.	Self-reported and Complaint	At least 1.4 million individuals Personal data affected included: Email address Name Mobile number Address Gender NRIC numbers Date of birth Bank account number Partial credit card information	Fine of SGD74,400
Wee Jing Kai Leon	Breach of the DNC Provisions The PDPC received complaints that the individual had sent unsolicited telemarketing messages to telephone numbers registered on the No Text Message Register of the DNC Registry.	Duty to check the DNC Registry The PDPC held that the individual failed to: obtain clear and unambiguous consent; or check the DNC Registry before sending specified messages to individuals registered on the registry.	Complaint	Telemarking messages sent to about 1,000 telephone numbers registered on the DNC Registry	Warning
OG Private Limited	Personal Data Breach OG received an email from a hacker group demanding a ransom in return for not publishing data the group had stolen from OG. Investigation revealed that a threat actor had conducted a Bruteforce SQL injection attack and was able to download 3 databases (2 of which contained ‘dummy’ data, with the remaining database containing individuals’ personal data).	Protection Obligation The PDPC noted that the impact of the ransomware attack on OG was limited as its data intermediary Poket Pte Ltd (“Poket”) responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to OG’s databases. Overall, the PDPC accepted OG’s undertaking after considering the security arrangements OG had in place to protect the personal data of individuals in its possession or control and the prompt response taken by OG which mitigated the effect of the ransomware attack.	Self-reported	276,677 individuals Personal data potentially affected: Names Gender Address Date of birth Email address Telephone numbers NRIC numbers (encrypted) Passwords (encrypted)	Voluntary Undertaking; no admission of breach of the PDPA

Name of Decision / Undertaking

Summary of Incident

Type of Potential Breach of the PDPA

Complaint / Self-reported

Number of affected individuals; Types of personal data affected

Outcome

E-Commerce Enablers Pte. Ltd.

Personal Data breach

As a result of an inadvertent committal of a full administrative privilege AWS access key (“AWS Key”) to GitHub, a malicious threat actor was able to access ShopBack’s AWS environment using the AWS Key and exfiltrated personal data of ShopBack’s customers.

Protection Obligation

The PDPC held that ShopBack failed to:

ensure that processes to manage the AWS keys that granted access to its customer storage servers were sufficiently robust;
conduct periodic security reviews including implementing a more secure process to ensure that the responsible staff members were performing their AWS key rotation duties properly.

Self-reported and Complaint

At least 1.4 million individuals

Personal data affected included:

Email address
Name
Mobile number
Address
Gender
NRIC numbers
Date of birth
Bank account number
Partial credit card information

Fine of SGD74,400

Wee Jing Kai Leon

Breach of the DNC Provisions

The PDPC received complaints that the individual had sent unsolicited telemarketing messages to telephone numbers registered on the No Text Message Register of the DNC Registry.

Duty to check the DNC Registry

The PDPC held that the individual failed to:

obtain clear and unambiguous consent; or
check the DNC Registry before sending specified messages to individuals registered on the registry.

Complaint

Telemarking messages sent to about 1,000 telephone numbers registered on the DNC Registry

Warning

OG Private Limited

Personal Data Breach

OG received an email from a hacker group demanding a ransom in return for not publishing data the group had stolen from OG.

Investigation revealed that a threat actor had conducted a Bruteforce SQL injection attack and was able to download 3 databases (2 of which contained ‘dummy’ data, with the remaining database containing individuals’ personal data).

Protection Obligation

The PDPC noted that the impact of the ransomware attack on OG was limited as its data intermediary Poket Pte Ltd (“Poket”) responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to OG’s databases.

Overall, the PDPC accepted OG’s undertaking after considering the security arrangements OG had in place to protect the personal data of individuals in its possession or control and the prompt response taken by OG which mitigated the effect of the ransomware attack.

Self-reported

276,677 individuals

Personal data potentially affected:

Names
Gender
Address
Date of birth
Email address
Telephone numbers
NRIC numbers (encrypted)
Passwords (encrypted)

Voluntary Undertaking; no admission of breach of the PDPA