This week, the Commission has published four Undertakings.

The incidents involved a mix of ransomware attacks and unauthorised access by exploiting legitimate login credentials, which disrupted business operations and exposed gaps in the organisations' cybersecurity defences. Common contributing factors included weak access controls, use of outdated firewall, software, and default accounts.

To address these issues and strengthen data protection practices, the organisations will be implementing a range of remediation measures, including:

• Enforcing multi-factor authentication across systems and administrative accounts
• Performing regular vulnerability assessments and penetration testing
• Hardening server configurations and segmenting network access
• Training staff on cybersecurity and data protection awareness
• Obtaining relevant data protection and cybersecurity certifications

The PDPC has accepted these Undertakings after considering the types of personal data affected, the circumstances surrounding each incident, and the organisations' readiness to implement their remediation plans to meet their obligations under the PDPA.

Access the Undertakings here.