New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 10 November 2023
14 November 2023 14 November 2023
Data Protection & Privacy
The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 10 November 2023.
In total, there were 2 enforcement decisions (Tokyo Century Leasing case and Ascentis case) and 1 voluntary undertaking (Starbucks Coffee Singapore case) published.
In this client update, we summarise the decisions and undertakings and present our key takeaways.
- Multi-factor authentication (“MFA”) should be implemented as a baseline requirement for administrative accounts with access to confidential or sensitive personal data or large volumes of personal data. In the Tokyo Century Leasing case, the failure by the organisation to implement MFA for its administrator accounts despite these accounts having access to confidential and sensitive personal data was held by the PDPC as one of the reasons for the organisation being in breach of the Protection Obligation. In the Ascentis case, the PDPC made a similar observation in respect of MFA, and that the PDPC will not hesitate to find organisations in future enforcement cases in breach of the Protection Obligation for failing to implement the same, particularly in cases involving unauthorised use of administrative accounts with access to sensitive or large volumes of personal data.
- Having broad data protection obligations imposed in one’s contracts with vendors may sometimes not always be sufficient; it may be necessary to spell out specific requirements that your vendors should comply with. In the Ascentis case, the PDPC held that:
- While the master services agreement between Ascentis and its overseas vendor (“Kyanon”) did impose broad data protection obligations on Kyanon, it did not mandate any specific measures in relation to account management, beyond stating that “secure authentication and authorisation processes” were to be implemented; and
- In addition, Kyanon had provided Ascentis with a signed Letter of Undertaking in which Kyanon undertook to comply with “the standards in relation to personal data protection, including those required under the Personal Data Protection Act (No. 26 of 2012) of Singapore (the “PDPA Policy”)”, Ascentis’ Security and Services Guide, and Ascentis’ Personal Data Handling and Measures. However, these documents did not specify any specific requirements for the disabling of ex-employee accounts.
As a result (amongst other reasons), the PDPC found Ascentis to be in breach of the Protection Obligation for failing to disable the admin account in question.
- The PDPC has regularly emphasised that organisations should, as a basic practice, develop an ICT policy that covers the critical aspects in IT security such as account and access control, password, email, IT risk management, asset and configuration, backup and recovery, hardening and patching. While the PDPC does not prescribe the specific terms of such ICT policies and/or processes, there should be processes by which organisations and their IT vendors are automatically notified of available software patches or reminded on a periodic basis to conduct checks for software patches. In the Tokyo Century Leasing case, the PDPC took note of the organisation’s failure to implement such processes. Further, the PDPC held that the contract between Tokyo Century Leasing and its IT vendor could have specifically included an obligation for the IT vendor to conduct regular monitoring for patches, without the need for Tokyo Century Leasing to request patching on an ad-hoc basis. However, Tokyo Century Leasing failed to implement any such processes to manage software patches and upgrades. In addition, the internal data protection policy and compliance handbook provided by Tokyo Century Leasing to the PDPC did not set out any processes to manage software patches and upgrades.
|Name of Decision / Undertaking||Summary of Incident||Type of Potential Breach of the PDPA||Complaint / Self-reported||Number of affected individuals; Types of personal data affected||Outcome|
|Tokyo Century Leasing (Singapore) Pte. Ltd.||
Personal Data breach
Tokyo Century Leasing was the subject of a ransomware attack resulting in the encryption of 141,412 individuals’ personal data. The most likely cause of the incident was that malicious actor(s) exploited a known vulnerability, thereby giving the malicious actor(s) access to Tokyo Century Leasing’s VPN and allowing them to execute malicious encryption programme on Tokyo Century Leasing’s servers through remote desktop connection.
The PDPC held that Tokyo Century Leasing failed to:
• Conduct regular monitoring for software patches;
• Implement processes to manage software patches and upgrades; and
• Implement MFA for its administrator accounts.
Personal data affected comprised:
• 111,156 customers whose personal data consisted of name, NRIC number, date of birth, address, contact number, income statement, email address, employer information, bank account, and additionally for foreign customers, their passport numbers and employment pass numbers.
• 30,220 guarantors whose personal data consisted of name, NRIC number, date of birth, address, contact number, income statement, email address, employer information, and bank account.
• 36 employees whose personal data consisted of name, NRIC number, date of birth, address, contact number, email address, bank account, resume information, and medical check-up information.
|Fine of SGD82,000|
|Ascentis Pte. Ltd.||
Personal Data breach
The PDPC was notified by the Singapore Computer Emergency Response Team that personal of 332,774 individuals had been exfiltrated from an eCommerce platform (the “Platform”) owned by Starbucks Coffee Singapore Pte Ltd and offered for sale online. The developer of the Platform was Ascentis.
The PDPC held that Ascentis failed to comply with its Protection Obligation under the PDPA due to its internal lapses. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for Starbucks Coffee Singapore. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards.
Personal data affected:
|Fine of SGD10,000|
|Starbucks Coffee Singapore Pte Ltd.||
Personal Data Breach
See above; this undertaking relates to the same incident involving Ascentis.
The PDPC held that Ascentis failed to comply with the protection obligation due to its internal lapses. Ascentis had engaged an overseas vendor Kyanon to complement and be part of the development team to assist in its project implementation for Starbucks Coffee Singapore. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards.
The PDPC accepted the undertaking by Starbucks Coffee Singapore as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, Starbucks Coffee Singapore could further improve on the contractual stipulation and handling of its data intermediaries.
|Complaint||See above; this undertaking relates to the same incident involving Ascentis.||Voluntary Undertaking; no admission of breach of the PDPA|
To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below: