PDPC | Undertaking by SpeeDoc Pte Ltd

Undertaking by SpeeDoc Pte Ltd

Background

The Personal Data Protection Commission (the “Commission”) was informed on 27 October 2020 that SpeeDoc Pte. Ltd's (“Organisation”) AWS S3 bucket was incorrectly configured which enabled public access to the personal data stored within.

The personal data of 12,652 individuals, including their names, phone numbers, email addresses was potentially publicly accessible. Of the 12,652 individuals affected, the NRIC numbers of 22 individuals, laboratory test results of 34 individuals, profile pictures of 492 individuals, and photos of their medication and symptoms (rashes and wounds) submitted by 157 individuals to the Organisation was also made potentially publicly accessible.

Remedial Actions

To prevent recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include:

(a) Conducting an IT security audit to identify and rectify security vulnerabilities in its network and systems;

(b) Attaining the ISO27001 Certification to ensure that its information systems are aligned with the industry's best practices and protected against malware and loss of data;

(d) Sending its employees to attend cyber and data protection awareness training to ensure that they are equipped with the relevant knowledge to identify and mitigate security threats.

Undertaking

Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 28 April 2022 (the “Undertaking”).

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.

Please click here to view the Undertaking.