Background 

The Personal Data Protection Commission (the “Commission”) received a data breach notification on 29 October 2020 from Platinum Yoga Pte. Ltd. (“Platinum Yoga”), informing of a suspected alleged act of mischief by a terminated employee of Platinum Yoga, who gained unauthorised access to its Customer Relationship Management (“CRM”) system and Facebook account. The CRM system held the email addresses and photographs of Platinum Yoga’s members. Consequently, photographs of 25 individuals were disclosed in an unauthorised Facebook post, and the email addresses of 58 individuals were disclosed in an email impersonating Platinum Yoga.

It was established that Platinum Yoga had 1) lacked access restriction to the accounts it had which included the CRM system and its Facebook account; 2) lacked dedicated personnel to ensure and enforce password changes to the CRM system and Facebook account periodically or whenever necessary, among its employees; and 3) not developed a data protection policy internally.

Remedial Actions

After the incident, as part of a remediation plan, Platinum Yoga:

(a) Implemented access restrictions to the CRM system and other accounts, including access to the CRM system on a need-to-know basis, and 2 Factor Authentication to accounts possible;
(b) Ensured that personal data can only be viewed or accessed from its property only;
(c) Appointed dedicated team to monitor and ensure password change to the CRM system and other accounts periodically, and whenever necessary, among its employees;
(d) Implemented periodic reminders to members on changing of passwords;
(e) Implemented quarterly review of its internal data protection policy.

Undertaking 

Having considered the circumstances of the case, including the remediation actions taken by Platinum Yoga to improve its personal data protection practices, the Commission accepted an undertaking from Platinum Yoga to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2021 (the “Undertaking”). 

The Undertaking provided that Platinum Yoga was to complete the implementation of the its remediation plan, by developing an internal data protection policy.

Platinum Yoga has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Platinum Yoga has complied with the terms of the Undertaking.

Please click here to view the Undertaking.