Personal Data Protection Commission (“PDPC”) accepts undertaking by Pu Tien Restaurant Pte Ltd
Background
The PDPC was notified by Pu Tien Restaurant Pte Ltd (the “Organisation”) on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen administrator account credentials to enter the Organisation’s network and caused the Organisation’s servers containing personal data to be accessed and encrypted by ransomware. Accordingly, the Organisation’s 350 employees’ personal data were encrypted. The personal data included full names, contact numbers, birth certificate and education certificate images, and bank account numbers. There was no evidence of unauthorised transfer of the said personal data.
The Organisation’s remedial actions
To prevent a recurrence of a similar incident, the Organisation took immediate remedial actions to address the cause of the personal data breach. The relevant remedial actions taken include:
- development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage, and secure disposal of data and incident response;
- implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data back-ups;
- conduct of IT audit reviews on: (i) computer devices, hardware, and software assets to ensure software and operating systems were updated and patched; and (ii) user accounts to ensure all rights assigned were necessary; and
- conduct of cyber and data protection awareness training for key employees who handle personal data.
Undertaking
Where an organisation has breached the Personal Data Protection Act 2012 (the “PDPA”), the PDPC has a number of enforcement options under the PDPA, including, but not limited to, imposing directions and/or financial penalties on the relevant organisation.
In this case, the PDPC recognised that the Organisation had made efforts to address the concerns raised and to improve its personal data protection practices. Furthermore, the Organisation was cooperative in the course of the investigation and was responsive to PDPC’s requests for information. The PDPC also recognised that the Organisation was ready to implement or was in the midst of implementing remedial actions to prevent the recurrence of a similar event.
Having considered the factors set out above, the PDPC accepted the Organisation’s undertaking to improve its compliance with the PDPA. The undertaking was executed on 28 July 2022.
On 10 March 2023, the PDPC reviewed the matter and determined that the Organisation had complied with the terms of its undertaking.
IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.
重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系,或直接联系上述的主要联系人。