Background 

The Personal Data Protection Commission (the “Commission”) received two data breach notifications on 13 November 2020 and 26 January 2021 from Inmagine Lab Pte Ltd (“Organisation”) regarding unauthorised access to two of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated. The datasets affected included the names, addresses, email addresses and phone numbers.

It was established that the Organisation (a) lacked sufficiently robust security assessment policy, log retention policy and asset management processes, (b) had no intrusion detection or prevention systems in place and (c) operated on an outdated operating system.

Remedial Actions

After the incident, as part of a remediation plan, the Organisation implemented the following:

(a) Developed a vulnerability assessment policy;
(b) Developed an incident response plan;
(c) Reviewed its log retention policy;
(d) Created an asset list for the tracking of an inventory of its systems;
(e) Implemented intrusion, detection and prevention systems;
(f) Reviewed, compiled and updated all its systems to the latest operating system; and
(g) Adopted additional security such as two-factor authentication (“2FA”).

Undertaking 

Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking on 23 March 2022 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012.

The Undertaking provided that the Organisation was to complete the implementation of its remediation plan. This included the development of various policies and implementation of the intrusion, detection and prevention systems.

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.