Background 

The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 February 2021 from Equity Solution Pte Ltd (“ESPL”), informing that ESPL had been subject to a phishing attack after a staff member opened an email containing an excel file with a macro-enabled malware. The personal data of approximately 1,359 individuals was affected. The affected datasets comprised the affected individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information.

It was established that (a) ESPL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. 

Remedial Actions

After the incident, as part of a remediation plan, ESPL promptly implemented the following measures:

(a) Secured files and documents using password protection; 
(b) Hardened its operating system;
(c) Implemented a strong password protection policy;
(d) Reviewed and updated its email usage policy; 
(e) Implemented training and awareness programmes for its employees; and
(f) Reviewed and updated its personal data protection policy.Undertaking 

Undertaking

The Undertaking provided that ESPL was to complete implementation of its remediation plan by subscribing to an email service provider with greater privacy and security features, and enhancing its data security processes.

ESPL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that ESPL has complied with the terms of the Undertaking.