New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 11 May 2023

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings on 11 May 2023.

In total, there were 3 enforcement decisions (Kingsforce Management Services case, Fortytwo case and The Law Society of Singapore case) and 1 voluntary undertaking (SpeeDoc case) published. 

In this client update, we summarise the decisions and undertakings and present our key takeaways.¹

Key takeaways: 

There are several key takeaways from these recent decisions and undertaking:

1. In the Kingsforce Management Services case, the organisation was found in breach of section 24 (“Protection Obligation”) of the Personal Data Protection Act (“PDPA”) as more than 50,000 jobseeker datasets were leaked due to outdated website coding technology that contained critical vulnerabilities. Two protection obligations were breached by the organisation. First, it failed to provide clarity and specifications to its vendors on how to protect its database and personal data. Second, it failed to conduct reasonable periodic security reviews, including vulnerability scans since the launch of its website. The Kingsforce Management Services case is significant as no financial penalty was awarded by the PDPC despite a substantial leak of jobseeker datasets. Instead, a number of directives focused on rectification and prevention of future breaches were issued to the organisation. The case highlights the importance of key mitigating factors considered by the PDPC, such as the organisation’s efforts towards website security, cooperation during investigation, voluntary admission of breach of the Protection Obligation and prompt remediation by the organisation. 
2. In the Fortytwo case, malicious code injections on its website led to the capture of credit card details belonging to close to 100 individuals, and the email addresses and passwords belonging to more than 6,000 individuals. The organisation was found in breach of the Protection Obligation and was fined S$8,000 along with other rectification directives from the PDPC. The Fortytwo case highlights the importance of applying software patches promptly to fix security vulnerabilities. The organisation had considered and evaluated four patches but decided to hold back on installing them, thereby increasing the risks of malicious code injections. The PDPC also provided much needed clarity on whether fictitious names or pseudonymous personal particulars form part of the personal data under the possession or control of an organisation.  The PDPA defines “personal data” to be data, whether true or not. Therefore, an organisation’s obligations under the PDPA to protect and ensure that such data are used in accordance with the purpose of collection applies to the entire customer database regardless of the accuracy (or inaccuracy) of the personal data in its possession or control.
3. In the Law Society of Singapore (“LawSoc”) case, a threat actor gained access to the IT administrator’s account and executed a ransomware attack on the servers. This led to more than 16,000 members’ personal data being affected in the incident. LawSoc was found to have negligently breached the Protection Obligation by (i) using an easily guessable password for the compromised admin account, (ii) failing to change the password for the compromised admin account at reasonable intervals, and (iii) failing to conduct any periodic security reviews in the three years leading up to the Incident. In arriving at its decision, the PDPC referred to its published Guide to Data Protection Practices for ICT systems and emphasised that the adoption of 2FA or MFA should become the norm for accounts with administrative privileges, for systems managing sensitive data or large volumes of personal data.
4. In the SpeeDoc case, the organisation’s AWS3 bucket was incorrectly configured which enabled public access to the personal data of more than 12,000 individuals. To prevent a recurrence of a similar incident, SpeeDoc took immediate remedial action to address the cause of the personal data breach. The SpeeDoc case is significant as the remedial actions were extensive and took almost 3 years to complete. The PDPC was first notified of the incident about 3 years ago (27 October 2020) and the target completion date of various remedial actions were of a broad range. These remedial actions consisted of various security trainings for internal staff, formation of a security team, development of various internal policies and procedures, third-party audit and ISO 27001 Certification. It highlights that the PDPC is prepared to implement long term remedial actions for an undertaking, given a sufficiently complex case with substantial leak of personal data.

To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below.

¹ The author would like to thank legal intern Shawn Yep for his assistance with this article.