Personal Data Protection Updates (February 2025)
The Personal Data Protection Commission (“PDPC”) may accept an undertaking from an Organisation that has potentially breached the Personal Data Protection Act (“PDPA”). This allows the Organisation to implement a remediation plan to address the breach and rectify systemic issues to ensure ongoing compliance with the PDPA. The PDPC assesses the effectiveness of the proposed remediation plan and the Organisation’s commitment to implementing it before accepting the undertaking.
On 27 February 2025, the PDPC released 3 undertakings relating to the PDPA. At TRS, we have summarised the cases for your convenience.
Jet Aviation (Asia Pacific) Pte Ltd (Undertaking)
Jet Aviation (Asia Pacific) Pte Ltd (“Jet Aviation”) notified the PDPC on 26 July 2024 of a data breach incident involving unauthorised access to 5 email accounts. The breach occurred due to a spear phishing attack, where the threat actor (“TA”) utilised Adobe Acrobat Sign to send documents containing a phishing link to the targeted employees. Since the phishing link was embedded in an e-signature document, it bypassed Jet Aviation’s email security scans. Furthermore, the targeted employees believed the legitimacy of the emails as the emails bore a legitimate sender email address from Adobe. The phishing site intercepted login credentials, passwords, and multi-factor authentication (“MFA”) tokens using a reverse proxy. With the stolen credentials and primary refresh tokens, the attacker gained persistent access to the email accounts.
The 5 compromised email accounts contained the personal data of approximately 37,623 individuals, mostly Jet Aviation’s customers. The types of personal data included name, address, email address, telephone number, government issued identification number, passport number, photograph, date of birth, health information, gender, religion, employment, health insurance policy information, one birth certificate, country of issue of passport, and fingerprints recorded on identity cards.
Although the attacker appeared focused on identifying unpaid invoices, they accessed the compromised email accounts 18 times. One particular email account, which contained almost all of the affected personal data, was accessed 3 times.
The attacker also manually forwarded 5 emails containing unpaid invoices from the MRO personnel’s email accounts. Using this information, they sent fraudulent payment instructions to a customer, successfully diverting and receiving US$139,000.
Upon discovering the breach, Jet Aviation acted swiftly by:
·?????? Enhancing phishing awareness training.
·?????? Strengthening phishing email reporting and filtering.
·?????? Updating alert mechanisms and access controls.
·?????? Expanding endpoint detection and response measures.
The PDPC accepted a voluntary undertaking from Jet Aviation on 7 January 2025 to enhance compliance with the PDPA. Key measures include:
·?????? Implementing sensitive data identification and labelling systems.
·?????? Updating the data retention policy across its systems.
·?????? Enhancing its Cyber Security Incident Response Program for better incident notification and reporting.
C. Melchers GmbH & Co. KG Singapore Branch (Undertaking)
C. Melchers GmbH & Co. KG Singapore Branch (“C. Melchers”) notified the PDPC on 31 July 2024 of a ransomware attack that resulted in data exfiltration. Investigations revealed that the threat actor (“TA”) gained access to C. Melchers’ system through a compromised domain administrator account, allowing unauthorised lateral movement within the network. As a result, the TA accessed and exfiltrated files containing personal data of 10,417 employees and customers. The affected personal data included names, addresses, telephone numbers, and email addresses, while a smaller subset of individuals also had their NRIC and/or passport numbers exposed.
After discovering the incident, C. Melchers took immediate remedial actions by blocking all internet connections on servers, enforcing password changes for all users, and strengthening password complexity requirements. Additionally, multi-factor authentication (“MFA”) was implemented across all accounts.
The PDPC accepted a voluntary undertaking from C. Melchers on 20 December 2024 to enhance compliance with the PDPA. Key measures include:
·?????? Reviewing its incident response plan.
·?????? Updating security policies, including data retention and password management.
·?????? Training employees on cybersecurity best practices and PDPA obligations.
·?????? Enforcing MFA across all accounts.
·?????? Conducting periodic vulnerability assessments and penetration testing.
·?????? Reviewing and updating disaster recovery plans.
·?????? Conducting breach response drills and simulations to enhance preparedness.
Bukit Sembawang Estates Limited & Ors (Undertaking)
Singapore United Estates (Private) Limited?(“Singapore United Estates”) notified the PDPC on 12 August 2024 of a ransomware attack. The attack, involving the “Fog” variant, resulted in data encryption and deletion, affecting Bukit Sembawang Estates Limited, Sembawang Estates (Private) Limited, Bukit Sembawang View Pte. Ltd., Paterson Collection Pte. Ltd., BSEL Development Pte. Ltd., and Bukit Sembawang Land Pte. Ltd. Investigations revealed that the threat actor (“TA”) gained access through a compromised user account and an administrative account, allowing lateral movement within the network and port scanning. The TA encrypted files containing the personal data of 1,327 individuals, including name, NRIC number, contact information, passport number, date of birth, and bank account number.
After discovering the incident, immediate remedial actions were taken, including isolating affected systems, enforcing password changes, implementing multi-factor authentication (“MFA”) for all users, and encrypting all sensitive data and login credentials.
The PDPC accepted a voluntary undertaking from the above-mentioned organisations, which was executed on 23 January 2025, to enhance compliance with the PDPA. Key measures include:
·?????? Adopting stronger password controls.
·?????? Enforcing MFA for all VPN accounts.
·?????? Setting encryption on backup copies.
·?????? Issuing cybersecurity circulars and conducting IT security training.
·?????? Conducting phishing simulation exercises.
·?????? Reviewing user account access to ensure role-based access.
·?????? Performing periodic vulnerability assessments and penetration testing.
·?????? Implementing a data loss prevention solution to monitor unusual data movements.
·?????? Engaging a third party to conduct a cybersecurity audit.
·?????? Conducting annual tabletop exercises to test cyber and data breach response plans.
In conclusion, an undertaking offers organisations the opportunity to proactively address data protection breaches and enhance compliance with the PDPA. However, if these commitments are not fulfilled, the PDPC may issue additional directives to enforce compliance. By implementing effective remediation measures and demonstrating a genuine commitment to protecting personal data, organisations can strengthen their data protection frameworks and maintain public trust.
You may also contact us at [email protected] for a non-obligatory discussion on how we can assist you to strengthen your Organisation’s data protection processes and controls.