fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PDPC’s March 2023 decisions: Sembcorp Marine and Eatigo International

March 2023 PDPC decisions
PDPC’s March 2023 decisions cover Sembcorp Marine and Eatigo International.

PDPC’s March 2023 decisions: Sembcorp Marine and Eatigo International

The March 2023 PDPC decisions have been published on PDPC’s official website. For this month, two (2) cases have been issued covering the “not in breach” decision given to Sembcorp Marine and the financial penalty of Eatigo International

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC decisions and undertakings.

Let’s have a look at the March 2023 cases with the latest cybersecurity updates to date.

Two (2) cases have been issued covering the “not in breach” decision given to Sembcorp Marine and the financial penalty of Eatigo International. 

March 10: “Not in breach” decision given to Sembcorp Marine 

On July 25, 2022, Sembcorp notified the PDPC of a data breach that happened through the exploitation of the Log4J zero-day vulnerability. With this incident, a total of 25,925 personal data of individuals were exfiltrated. This includes their name, address, email address, NRIC number, telephone number, passport number, photograph, and date of birth, among others. 

Investigations reveal that the bad actor exploited three Log4J vulnerabilities present in an application to gain unauthorised access to the Organisation’s server. It was also revealed that the threat actor deployed the “Cobalt Strike” beacon, conducted reconnaissance, and made lateral movements across several machines before exfiltrating data and deploying ransomware. 

After finding out about the Log4J vulnerability, Sembcorp took prompt action to identify instances of Log4J vulnerabilities across all the software applications it was using. The Organisation then implemented workarounds recommended by its vendors for systems whose patches were not available or had not been released. 

The PDPC was satisfied with Sembcorp’s prompt remedial actions and declared that there was no need for an enforcement action in relation to the incident.

What did we get from this case?

The prompt response of an organisation towards the incident can be a mitigating circumstance that could potentially remove the impending financial penalty. Moreover, conducting regular penetration testing can go a long way. 

This is because when you spot vulnerabilities in your system before bad actors do and perform the necessary remediations or fixes, bad actors will not be able to exploit such vulnerabilities and cause a data breach.

The Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with the administration and enforcement.

March 10: Breach of Protection Obligation by Eatigo International

Completing this month’s PDPC cases for the month of March is the case of Eatigo International. On October 29, 2020, the PDPC was notified about a possible data leak by Eatigo. It was found out that a cache of personal data that was suspected to be from the Organisation’s database was being offered for sale on an online forum.

This affected database contained personal data relating to approximately 2.8 million individuals, encompassing personal data such as passwords, access IDs, and Facebook tokens.

Investigations reveal that the personal data for sale on the online forum did not match any current databases in use by Eatigo at the time of the incident. However, this matched the structure of a legacy database which contained user data as of late 2018, the database they used prior to their migration to their current online platform.

After the migration, the affected database was not included in the Organisation’s Virtual Private Network infrastructure. Unfortunately, as Eatigo transitioned to a new engineering team, no one in the Organisation had knowledge of the affected database.

Investigations further revealed that no such password rotation rules were implemented for the affected database, unlike in the current online platform. There were no security reviews conducted, no system in place to monitor the exfiltration of large volumes of data, and no personal data asset inventory or access logs were maintained. 

With this, Eatigo International failed to implement reasonable security arrangements to protect the affected database from the risk of unauthorised access. For breaching the Protection Obligation under the PDPA, Eatigo International was made to pay a whopping financial penalty of S$62,400.

What did we get from this case?

For organisations with substantial personal data assets, the maintenance of an accurate and up-to-date personal data asset inventory is a prerequisite for complying with the Protection Obligation. This is to ensure that every personal data is accounted for and for tracking purposes. It is a good practice that would assist organisations in complying with the PDPA. 

Moreover, when an organisation handles a high volume of personal data, it is incumbent upon them to implement policies and practices to meet such security needs to discharge its obligation under the Protection Obligation.

How a DPO can help

Your appointed DPO can work with you on your PDPA compliance, ensuring that there will be policies in place to make sure that the handling of personal data is PDPA compliant. This includes making sure that your Organisation is maintaining a proper personal data asset inventory and that it is promptly coordinating with the PDPC in case of breach. 

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us