Personal Data Protection Updates (January 2025)
The Personal Data Protection Commission (“PDPC”) may accept an undertaking from an Organisation that has potentially breached the Personal Data Protection Act (“PDPA”). This allows the Organisation to implement a remediation plan to address the breach and rectify systemic issues to ensure ongoing compliance with the PDPA. The PDPC assesses the effectiveness of the proposed remediation plan and the Organisation’s commitment to implementing it before accepting the undertaking.
On 23 January 2025, the PDPC released 3 undertakings relating to the PDPA. At TRS, we have summarised the cases for your convenience.
Malca-Amit Singapore Pte Ltd (Undertaking)?
Malca-Amit Singapore Pte Ltd (“Malca-Amit”) notified the PDPC on 10 August 2024 of a personal data breach involving a cyberattack. The threat actor gained access via a domain user account and SonicWall VPN, targeting VMware hosts and encrypting files. The breach exposed the personal data of 5,834 individuals, including employees' and customers' names, addresses, emails, NRIC/passport details, photos, dates of birth, bank accounts, and salaries.
Malca-Amit responded promptly by disconnecting the network, removing threats, halting backups, and verifying system integrity.
The PDPC accepted a voluntary undertaking from Malca-Amit on 9 December 2024 to enhance compliance with the Personal Data Protection Act 2012. Key measures include:
·?????? Strengthening the password policy
·?????? Enforcing 2FA for security appliances and remote access
·?????? Continuous virtualization backups
·?????? Implementing SentinelOne XDR for threat detection and response
·?????? Regular penetration testing
·?????? Replacing outdated software
·?????? Enhancing SIEM services for proactive threat detection and response
Citizen Watches (H.K) Ltd (Undertaking)
The Singapore branch of Citizen Watches (H.K.) (“Citizen Watches”) notified the PDPC on 26 April 2024 of a data breach exposing the personal data of 8,126 individuals on the dark web. The breach occurred due to the lack of a password for the administrator account of the Members Website and inadequate vulnerability testing before its launch in 2018. Exposed data included names, telephone numbers, email addresses, member account passwords, date of birth, country region, job industries, and income range.
Following the incident, Citizen Watches conducted forensic investigations, shut down the Members Website, and deleted the membership database.
领英推荐
On 5 November 2024, the PDPC accepted a voluntary undertaking for Citizen Watches to engage an external service provider to improve cybersecurity and data protection practices and policies. This includes creating asset inventories for hardware and software, implementing cybersecurity measures, and developing an incident response plan within 2 months, followed by a 6-month review. The PDPC will monitor compliance with the undertaking.
DiMuto Pte Ltd (Undertaking)
DiMuto Pte Ltd (“DiMuto”) notified the PDPC on 7 October 2024 of a personal data breach involving unauthorised access to its cloud-based platform, leading to the exfiltration of personal data for 516 individuals, including names, telephone numbers, work email addresses, and a single passport number, photograph and date of birth. The breach occurred due to a compromised administrator account.
DiMuto responded by eliminating single-factor authentication, enforcing password changes, enabling email-based 2FA and encrypting personal data.
On 26 December 2024, the PDPC accepted a voluntary undertaking for DiMuto to enhance compliance with the PDPA. Key measures include:
·?????? Mandatory single sign-on with 2FA
·?????? Employee security training
·?????? Penetration testing and endpoint protection ?
·?????? Server migration with MFA
·?????? Encryption and data masking, endpoint protection
·?????? Automated security scanning
·?????? Implementing a data retention and deletion policy
·?????? Obtaining certifications for key personnel
The PDPC will monitor compliance with the undertaking.
In conclusion, an undertaking provides Organisations with an opportunity to proactively address data protection breaches and improve compliance with the PDPA. By implementing effective remediation measures and demonstrating a commitment to protecting personal data, Organisations can build stronger data protection frameworks and maintain public trusts.
You may also contact us at [email protected] for a non-obligatory discussion on how we can assist you to strengthen your organisation’s data protection processes and controls.