This month, the Commission has issued one Undertaking.

The undertaking this month reveals a breach stemming from a ransomware attack, where a threat actor gained unauthorised access to the organisation’s system via a sister company’s server in Australia, resulting in the exfiltration of personal data belonging to 10,281 customers.

 

In response, the affected organisation is to implement remediation plan to rectify the immediate breach and address any systemic shortcomings to ensure compliance with the PDPA on a continual basis, such as:

• Reviewing overseas data hosting and associated risks
• Implement enhanced security measures including encryption and access controls across systems
• Scheduling regular security audits in line with ISO 27001 standards
• Providing employee training on data protection and cybersecurity

The PDPC has accepted the undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident.

Access the Undertaking here.