Common lapses

• Lapses during data and system migrations: Implement relevant measures and test thoroughly before making changes
• Lack of measures to detect and prevent data breaches: Implement monitoring and data loss prevention measures such as alerts to detect unusual data access and bulk downloads

Recent data breach cases in Singapore and around the world have shown common lapses in how organisations protect personal data. This advisory highlights these lapses and recommends measures for organisations to strengthen their data protection practices, drawing from PDPC's investigation findings and learnings from other jurisdictions.

Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data¹ in its possession or under its control. Examples of personal data include, but are not limited to, an individual’s name, mobile number, residential address and NRIC number (in full and partial form²). This is to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored.

Lapses during data and system migrations

Data protection risks often arise when organisations migrate data or systems, such as moving to a new customer database or upgrading system infrastructure. These migrations involve multiple steps, including mapping data fields, extracting data from legacy systems, and configuring access controls. Each step in the migration carries a risk of error, which could create system vulnerabilities that may be exploited by attackers, expose personal data or cause information to be sent to the wrong recipients.

To prevent such lapses, organisations should take relevant measures. For example:

• Implementing process checks to verify the accuracy of data mapping
• Keeping the test environment offline and separate from the Internet in the development phase
• Implementing adequate end-to-end controls in data transfers between the source and target systems, reviewing and testing against documented configurations, and conducting tests to ensure robustness of the system
• Automating critical steps where possible to minimise human error while also ensuring adequate human verification
• Conducting vulnerability assessment and penetration testing (VAPT) prior to system go-live after any changes, and checking to ensure that no credentials or personal data are left behind in the test environment

Lack of measures to detect and prevent data breaches

Data breaches can occur even when organisations have implemented standard security arrangements such as firewalls and access management. Attackers may bypass perimeter defences or exploit compromised user accounts to access databases containing personal data. Without database-level monitoring, organisations often remain unaware that large volumes of personal data are being accessed inappropriately or extracted from their systems.

To address this gap, organisations should implement database-level monitoring and data loss prevention measures, where feasible. Organisations can deploy systems that can detect unusual data access patterns, such as large downloads or access to sensitive data outside normal business hours. Additionally, organisations should have clear policies and protocols to respond to security alerts as part of their data breach management plans.

Review data protection policies and practices

Organisations are strongly encouraged to routinely review their data protection policies and practices to enable them to identify data protection gaps and the appropriate remedies.

Resources and guidance

• Help and Resources for Organisations
• Advisory Guidelines and Guides