fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

November 2021 PDPC Incidents and Undertaking: Lessons from the Cases

November 2021 PDPC Incidents and Undertaking
November 2021 PDPC Incidents and Undertaking

November 2021 PDPC Incidents and Undertaking

The November 2021 PDPC Incidents and Undertaking decisions of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. Three (3) cases were highlighted this month, with decisions ranging from no breach at all, to whopping financial penalties for failure to put in place reasonable security arrangements to protect personal data in its possession, which resulted in the personal data being exposed.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the November 2021 cases with the latest cybersecurity updates.

Also Read: The importance of penetration testing for businesses

November 14: Giordano Originals (s) Pte Ltd, unauthorized network entry and ransomware infection

Our first case of PDPC incidents and undertaking involves Giordano Originals (s) Pte Ltd. There has been a report to the PDPC that on or about July 12, 2020, an unauthorized network entry and ransomware infection at the OS and server-level occurred.

Through the Organization’s own and independent investigation, it has been found that the unauthorized entry had most likely occurred through the use of compromised credentials obtained through phishing.

As a result, the personal data of 790,000 of the Organization’s members and 184 employees in encrypted form were affected. However, the PDPC did not impose any fine as it was found that:

  1. The Organization had in place reasonable security measures that are consistent with the recommendations;
  2. The Organization had installed and deployed various endpoint security solutions;
  3. The Organization also conducted regular periodic system maintenance, reviews, and updates;
  4. The Organization ensured that its data was regularly and automatically backed-up;
  5. The Organization had also taken steps to protect better the personal data affected.

In this case, we can infer that when there are breaches, it does not automatically mean that the PDPC will impose a fine. This case is a landmark case that every Organization should look up to as it emphasized how an Organization can avoid a hefty fine by simply following the cybersecurity recommendations of the PDPC laid in the PDPA.

In the case at bar, since Giordano Originals (s) Pte Ltd had followed and laid safeguards to prevent breaches from happening, and they had a process of what to do during attacks which involve restoring from back-ups and further strengthening their cybersecurity posture, the PDPC ruled that Giordano Originals (s) Pte Ltd have met its Protection Obligation under Section 24 of the PDPA.

November 2021 PDPC Incidents and Undertaking
November 2021 PDPC Incidents and Undertaking

November 14: Commeasure Pte Ltd, data breach affecting 5,892,843 customer records

Our second case of PDPC incidents and undertaking involves Commeasure Pte Ltd, where was it made to pay by the PDPC a hefty fine of 74,000 SGD for such personal data breach.

On September 19, 2020, the Commission received information that the Organization’s database had been accessed and exfiltrated. Upon investigating, the cause of the breach was due to the Amazon Web Services (“AWS”) access key publicly available to the public, embedded within the Android application package (APK) by which anyone can download.

Such APK was created sometime in 2015 when the Organization was still new. The subject APK was regarded as “defunct,” that is why when it conducted penetration testing to see if there were any vulnerabilities, the APK was not within the scope of the test.

Because of the incident, the Organization was made to pay a hefty fine of 74,000 SGD for the database breach, which affected 5,892,843 customers. The Commission highlighted that even though there were IT security reviews conducted, it was not enough. The Commission also stated that this case was the largest data breach in history

With this case, we can infer that an Organization must be keen on their services offered, especially if it is still new. Furthermore, it must be highlighted that before a service is made public, it must first run through penetrating testing and not after it becomes available for any user to use. This way, any early vulnerabilities will not be exploited after it becomes live.

November 2021 PDPC Incidents and Undertaking: Fujioh International Trading Pte Ltd


Completing this month’s published decisions is the case of Fujioh International Trading Pte Ltd, where the PDPC accepted the undertaking of the Organization regarding the personal data that was exposed in its Online Warranty System found on its website.

Due to the incident, the personal data of 2,771 individuals were affected, which comprises the names of individuals, addresses, email, and telephone numbers.

We can infer from this case that when there is a potential threat to the data managed by an Organization, it does not necessarily mean that these Organizations will be heavily fined outright.

When no data was breached due to the Organization’s prompt remedial actions, although there was infiltration due to failure to put in place reasonable security arrangements, a fine is not necessary, especially when there is active placement of extensive measures to prevent such incidents from happening in the future.

Also Read: Tools for penetration testing to choose from

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us