fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

A Review of PDPC Undertakings July 2021 Cases

PDPC Undertakings July 2021, two cases to emphasize the importance of employee training in PDPA

A Review on PDPC Undertakings July 2021 Cases

In 2014, the Singapore government has enacted the Personal Data Protection Act of 2012 (PDPA). This law governs the collection, use, and disclosure of personal data by all private organizations. The new 2020 amendment of the PDPA has introduced some new guidelines to further improve the enforcement of said law. Thus, businesses must always be kept abreast of developments, regulations, and novel rulings of the PDPC (Committee).

In this article, we will review two of the most recent decisions of the PDPC, particularly the remediation plan proposed by the subject organizations, and how you can take them into consideration for your own business, especially with your employees.

Let’s take a look at these two cases from PDPC Undertakings July 2021:

July 12: Assisi Hospice, erroneous disclosure via email

A simple mistake, an in-house employee error

Let’s begin with the facts of this case. In September 22, 2020, the PDPC received a data breach notification from Assisi, Hospice concerning an erroneous disclosure of its patients’ data via 43 separate emails. These emails were sent to a single unintended external party from the month of January to September. The private data were contained in an Excel spreadsheet list which is updated periodically, to serve as reference for after hours on-call employees.

The erroneous sending of emails was attributed to an Assisi employee’s negligence. Notably, the recipient’s email address was not even an official work email account. It is therefore established that said employee did not follow Assisi’s personal data protection policy to password-protect the Patient List.

Remedial Actions and Undertaking

The PDPC has accepted the undertaking executed by Assisi to improve its compliance with the PDPA by implementing, among others, the following remedial steps;

  • reminded all employees to password-protect email attachments containing personal data and to send the password in a separate channel or email thereafter.
  • reminded all employees to not send any email containing sensitive and/or confidential data to non-work email accounts; and 
  • reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies.  

The undertaking likewise provided that Assisi is to set alerts in its email system to alert the sender whenever there is sensitive information in the email body or an attachment thereto that is not password protected.

This is where hiring an outsourced DPO can help. Aside from the fact that it is mandatory under the PDPA, an outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

Also Read: The Top 4W’s of Ethical Hacking

The second case on PDPC Undertakings July 2021, features a compromised website due to employee’s lack of sufficient technical knowledge,

A superior cybersecurity and robust data protection policy is only as good as how your employees implement them.

July 12: Thye Hua Kwan Moral Charities Limited, hacked website

Poor cybersecurity hygiene leads to malicious website access

In April 11, 2020, Thye Hua Moral Charities Limited (THKMC) notified PDPC of a data breach following their website hacking incident. Investigations showed that cybercriminals had gained access to the web content management system of THKMC by altering a web configuration file left in an unprotected public directory.

The cause was primarily attributed to the employee tasked with the administration of the website. He lacked the sufficient technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of about 550 THKMC volunteers was placed at risk, although no evidence of data loss has been particularly reported.

Remedial actions and undertaking

In their proposed remediation plan, THKMC has avowed to incorporate the following steps, among others:

  • implemented mandatory annual cyber security training and online quiz for all THKMC staff. Staff from the IT department are also required to attend relevant training courses to upgrade their knowledge and competency in cyber security;
  • implemented periodic unannounced phishing exercises to test the alertness of staff to cyber threats

The PDPC has accepted THKMC’s remedial plans and undertaking to improve its personal data protection practices and compliance with the PDPA.

Conclusion

A thing to note on the above-cited PDPC cases is how these incidents are directly traced to human error. A superior cybersecurity and robust data protection policy is only as good as how your employees implement them. The most sophisticated software or programs can be rendered ineffective once an employee in charged of them lacks the sufficient technical knowledge and training.

Thus, it is extremely important to keep abreast on recent decisions of the PDPC, such as these PDPC Undertakings: July 2021. By allowing open-source remedial plans from organization who has contravened the PDPA of Singapore, the Committee is also providing valuable information for the perusal of other businesses. This gives them an idea on which points to improve in order to ensure strict adherence to a better cybersecurity protocol.

Also Read: Protecting Data Online in the New Normal

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us