fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

September 2021 PDPC Incidents and Undertaking: Lessons from the Cases

september 2021 pdpc incidents and undertaking
We take a look at the cases published by the PDPC in September 2021, where we glean vital cybersecurity and data protection lessons from the various cases

September 2021 PDPC Incidents and Undertaking

For the month of September, the latest decisions and undertaking of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. There are several cases highlighted this month, with decisions ranging from directions to hefty financial penalties.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for better observance of organizations with such standards, it is their bounden duty to be kept updated with the latest PDPC incident and undertaking. 

Let’s have a look at the September 2021 cases with the latest cybersecurity updates.

Also Read: The 5 Important Things to Know in Security Pen Testing

September 21: Financial penalty for companies failing to put in place reasonable security arrangements to protect personal data

Under the published decisions, our first case involves Seriously Keto Pte. Ltd. On June 16, 2020, the subject organisation notified the Personal Data Protection Commission of a ransomware infection that occurred on or about June 15, 2020. Approximately 3,073 individuals’ names, addresses, email addresses and telephone numbers were affected with this incident. With this, the Deputy Commissioner for Personal Data Protection fined Seriously Keto Pte. Ltd $8,000 for its negligence.

It’s clear from the incident above that vulnerability in a company’s digital infrastructure may lead to potential ransomware infection and other serious damage. Thus, organisations must make it a priority to conduct regular network assessment and penetration testing.

Sendtech Pte. Ltd. suffered the same decision as it was fined $9,000 due to failure to place reasonable security arrangements that resulted to breach of information of 64,196 customers and 3,401 contractors and the contactors’ employees because of an unauthorized access to the Organization’s Amazon Web Services (AWS) account via an access key.

Similar to Seriously Keto’s case, this incident could have been prevented if regular network assessment and audit trail (among others) were conducted.

Our third incident is a case of personnel carelessness due to inadequate PDPA training. SAP Asia Pte. Ltd. was also fined heavily due to disclosing payroll information of former employees to the wrong email recipients. With this, the company was made to pay a whopping $13,500 fine. 

The last organisation penalized financially this month is Larsen & Toubro Infotech Limited (Singapore Branch), whereby they were fined $7,000. This was due to an LTI employee’s negligence in sending an email reminder to 54 job applicants with their name and other confidential information, and placed in the “To” field and thus visible to all recipients.

Directions and a warning

Completing this month’s published decisions are the following: Specialized Asia Pacific, who received a warning from the Commission after their quick remediation steps prevented a potential data breach, and both NUInternational Singapore and Newcastle Research and Innovation Institute, who received directions after they were found guilty of violating the Transfer Limitation Obligation.

With these cases, we can infer from that the Personal Data Protection Commission does not take lightly breaches of personal and sensitive information, whether it be accidental e-mail sent to a wrong recipient or a ransomware attack.

It should be noted by companies and organizations that the personal and sensitive information of employees should be their first priority because if not, the Personal Data Protection Commission (PDPC) will always be there to impose sanctions to them.

September 2021 PDPC Incident and Undertaking

September 21: MindChamps PreSchool Limited; data breach remedial actions 

On February 27, 2020, the Personal Data Protection Commission received information that the users of MindChamps Preschool Limited’s personal information in its mobile application was publicly accessible via an internet link. Approximately 6,521 individuals’ personal data were affected namely, email addresses, login passwords and mobile numbers. Furthermore, 607 minors’ birth certificate were at risk of being disclosed by anyone.

Such undertaking provides that MindChamps was to:

(a) engage an external IT consultant to determine the cause of the incident; 
(b) perform a password reset for all the user accounts of its mobile application; and 
(c) migrate all users to a newly designed mobile application. 

Having considered the circumstances of MindChamps Preschool Limited’s case, including the remedies it is willing to undertake to improve its data protection practices, the Personal Data Protection Commission accepted an undertaking to improve MindChamps’ compliance with the Personal Data Protection Act 2012.

The undertaking that was executed on the 7th of January 2021 provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. Furthermore, trainings for its employees will be conducted by MindChamps alongside ensuring their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects.

Also Read: A Review of PDPC Undertakings July 2021 Cases

Cyber hygiene awareness at the forefront

Many of the published incidents this month can be traced back to two lapses: lack of PDPA training among personnel and failure to conduct regular vulnerability assessment and penetration testing. With cyber incidents at an unprecedented high due to digital acceleration and the modern business landscape, organisations must prioritise cyber hygiene awareness.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us