Popular search terms
Click each term for related articles
Asia Pacific
Data Protection & Privacy
The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings yesterday (17 April 2023).
In total, there were 2 enforcement decisions (Tai Shin Fatt case and OrangeTee case) and 1 voluntary undertaking (Tat Hong Heavyequipment case) published.
In this client update, we summarise the decisions and undertakings and present our key takeaways.
Key takeaways:
There are several key takeaways from these recent decisions and undertaking:
Name of Decision / Undertaking |
Summary of Incident |
Type of Potential Breach of the PDPA
|
Complaint / Self-reported |
Number of affected individuals; Types of personal data affected |
Outcome |
||||||||||
Tai Shin Fatt (the “Individual”)
|
Breach of the PDPA’s prohibition on use of dictionary attacks (“Section 48B Prohibition”) A warning was issued to the Individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, resulting in the breach of section 48B of the PDPA.
|
Breach of obligation under Section 48B Prohibition
|
Complaint by a third party |
|
|
||||||||||
OrangeTee & Tie Pte Ltd |
Personal Data breach OrangeTee was the subject of an unauthorised access to its IT network. An organisation identified as “ALTDOS” claimed to have carried out the unauthorised access.
|
Protection Obligation
The PDPC held that OrangeTee had not put in place reasonable security arrangements to protect users’ personal data in its possession or under its control. This was because (i) there was a lack of sufficiently robust processes in the form of a security assessment of the risk from using and storing ‘live’ personal data in a testing environment; and (ii) OrangeTee had not conducted reasonable periodic security reviews for its servers.
|
Self-reported |
256,583 individuals
Personal data affected included:
|
|
||||||||||
Tat Hong Heavyequipment (Pte.) Ltd. |
Personal Data Breach
Tat Hong Heavyequipment suffered a ransomware attack that affected 43 virtual machines, 4 physical servers, 3 employees’ PC and the network attached storage.
The threat actor had likely gained access to the organisation’s network by exploiting an open Microsoft Remote Open Desktop protocol to a User Acceptance Test (UAT) Server.
|
Protection Obligation
|
Self-reported |
3,377 individuals
Personal data affected:
|
|
To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:
End