The Personal Data Protection Commission (the “Commission”) received a data breach notification on 8 October 2021 from The National University of Singapore Society (“NUSS”). NUSS stated that its website had been subjected to a SQL injection attack sometime between 6 and 7 October 2021. The personal data of 3,725 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, gender, date of birth, membership number, marital status, education details and motor vehicle registration number.
It was established that NUSS had (a) inadequate knowledge of the web server hosting its website, (b) inadequate security reviews to identify vulnerabilities within its website, (c) lack of clauses within its contract with its vendors to ensure compliance with the PDPA and (d) there had been an overreliance on its IT vendor to maintain the security of the web server hosting its website.
After the incident, as part of a remediation plan, NUSS had:
(a) Ensured that no personal data was stored at its web server;
(b) Fixed all vulnerabilities identified in its forensics report;
(c) Conducted a penetration test;
(d) Established checklists, procedures and templates for 3rd party vendors;
(e) Migrated its website to a virtual private server; and
(f) Revamped its website.
Having considered the circumstances of the case, including the remedial steps taken by NUSS to improve its personal data protection practices, the Commission accepted an undertaking from NUSS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 December 2021 (the “Undertaking”).
NUSS has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that NUSS has complied with the terms of the Undertaking.