fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

February 2022 PDPC Incidents and Undertaking

February 2022 PDPC Incidents and Undertaking
The February 2022 PDPC Incidents and Undertaking are already published for Organizations to follow

February 2022 PDPC Incidents and Undertaking

The February 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official Website. For this month, only two (2) cases have been issued covering financial penalties for both Tanah Merah Country Club and North London Collegiate School (Singapore) Pte. Ltd.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

Here are the February 2022 PDPC Incidents and Undertaking that Organizations must take note of

In doing so, the decisions conducted by PDPC are published on their Website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the February 2022 cases with the latest cybersecurity updates to date.

Also Read: Guarding against common types of data breaches in Singapore

February 18: North London Collegiate School (Singapore) ‘s a breach of the Protection and Accountability Obligations

Our first case of PDPC incidents and undertaking involves North London Collegiate School (Singapore). The PDPC was notified by the Organization on July 02, 2021, that a parent of a student was able to view and access a student report by performing searches using internet search engines.

Investigations found that prospective students’ parents could submit documentation for admission applications via the Organization’s Website from December 2019 to July 2021. All documents uploaded were saved in the Website’s directory. However, the website folder was not effectively protected from web crawler automatic indexing. As a result, search engines indexed the provided documents, and they may appear in online search results.

The PDPC Incidents and Undertaking for February 2022 serve as guide to avoid financial penalties in the future

The Organization admitted that it had simply used a Robots.txt file on its Website to instruct search engines not to index the content in the website directory folder. However, it is well understood that the robot exclusion protocol is not obligatory.

The Organization had also stated that it relied on a related group company to set up and manage its Website, but there were no clear business requirements specifying that the Organization was relying on the sister company to recommend and/or implement security arrangements to protect personal data that resides in the website directory/ folder.

With this Incident, the personal data of minors were at risk of unauthorized access, and the Organization was made to pay a financial penalty of S$10,000 for failure to set up reasonable security arrangements to protect the personal data on its website database.

We can get from this case the importance of specifying the scope of work of the Organization responsible for the recommendation and/or implementation of the security arrangements to protect personal data. Furthermore, Organizations storing personal data in website directory/folders should implement proper folder or directory permissions and access controls to prevent web crawlers’ unintended access instead of relying on the robots exclusion protocol.

February 2022 PDPC Incidents and Undertaking: Tanah Merah Country Club’s breach of the Protection and Accountability Obligations

Completing this month’s published decisions is the case of Tanah Merah Country, where the PDPC ordered to pay the Organization to pay a financial penalty of $4,000 upon breach of personal data and failure to set up reasonable security arrangements to prevent it from happening.

On February 24, 2021, Tanah Merah Country Club notified the Personal Data Protection Commission that an employee’s email account had been compromised, and 600 phishing emails had been sent to various individuals on February 22, 2021.

The February 2022 PDPC Incidents and Undertaking are already published for Organizations to follow

The Organization’s investigations found that the Organization’s email accounts had most certainly been vulnerable to password spraying attempts. The Employee was using the password “TMCC@1234” at the time of the Incident, which the Employee had not updated in over five years, from 2016 to the time of the Incident on February 22, 2021.

The threat actor accessed the personal data of 467 people after getting access to the Employee’s email account, including: a. The email addresses of 155 club members and 284 members of the general public, to whom the threat actor had sent phishing emails. b. The emails contained the names, NRIC numbers, and/or email addresses of an additional 28 people.

We can infer from this case the importance of Organizations having a written personal data protection policy to guide their employees and staff to properly protect personal data. This is because if it was only passed on by word of mouth, Organization might run the risk of the policies and practices being passed on incorrectly.

Furthermore, to maintain good governance over its personal data and mitigate data breach risks throughout the data lifecycle, organizations should develop and implement ICT security policies for data protection, including a password policy.

Also Read: January 2022 PDPC Incidents and Undertaking

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us