< Back to all publications

Recent Decisions of the Singapore Personal Data Protection Commission

The Personal Data Protection Commission (“PDPC”) recently meted out financial penalties to two errant entities which were found to be in breach of Section 24 of the Personal Data Protection Act 2012 (“PDPA”).

Royal Caribbean Cruises (Asia) Pte. Ltd.

Royal Caribbean Cruises (Asia) Pte. Ltd. (the “Organisation”) voluntarily informed the PDPC that the systems of one of its Information Technology (“IT”) vendors had been subject to a cyber-attack wherein the personal data of about 6,000 of the Organisation’s customers as well as 25 of its employees were deleted from the database and replaced with a ransom message demanding payment in exchange for the deleted data.

On discovering the incident, the Organisation took various remedial actions, which included, but were not limited to, engaging a cyber consultant to conduct technical forensic investigations and identifying vulnerabilities in the hacked system and taking the hacked system offline permanently.

The Commissioner of the PDPC found that, among other things, it was the Organisation and not the IT vendor that was responsible in ensuring the database system had up-to-date security maintenance and patching. Further, he found that insufficient security arrangements made by the Organisation, in the form of oversight in the conducting of regular patching, significantly exposed the Organisation to external threats.

However, taking into consideration the immediate remedial actions the Organisation undertook, the Commissioner of the PDPC directed the Organisation to pay a financial penalty of S$16,000 for this lapse.

SPH Magazines Pte. Ltd.

SPH Magazines Pte. Ltd. ( “SPH”) had voluntarily informed the PDPC that the account of a senior moderator of its HardwareZone forum site had been accessed by a hacker who used the said moderator’s credentials to retrieve personal data of members of the forum. It was found that an earlier credential leak in 2015 had published the email address and password of the said moderator.

The said moderator’s role was to review and moderate posts by its 600,000 members in the discussion threads in the forum, to ensure that postings complied with the applicable laws as well as the forum’s terms of service.

The hacker had attempted to access the user profiles of the members, however, this could only be done by way of a two-factor authentication (2FA) process. Once SPH became aware of the situation, the remedial actions undertaken included, but were not limited to, temporarily suspending the access rights of the said moderator’s account implementing 2FA therefor, and purging entries in the field for full names from the database.

The Commissioner found that SPH did not perform any security testing of the forum and hence there was no overall picture of its security needs in relation to the website. Moreover, SPH had not changed the password for the said moderator’s account in 10 years and that they were unable to detect the unauthorised access of personal data for almost 2 years. SPH’s failure to implement and enforce reasonable password security arrangements amounted to a breach of section 24 of the PDPA.

To that end, the Commissioner of the PDPC directed SPH to pay a financial penalty of S$26,000 for this lapse.

Both cases exemplify the importance of correctly administering feasible security measures for customer data storing systems as well as carrying out relevant testing and maintenance of the security system.

By: Denise Mirandah

A version of this article first appeared on the GALA Blog. For more information, please visit http://blog.galalaw.com/.