Background

The Personal Data Protection Commission (the “Commission”) was notified by Employment and Employability Institute Pte. Ltd. on 25 March 2021 of a personal data breach involving its contact centre and data intermediary, i-vic International Pte. Ltd. (“i-vic).

Investigations revealed that an employee of i-vic had most likely fallen prey to a phishing attack. As a result, a malicious actor successfully downloaded the personal data belonging to 31,002 individuals, from 2 email accounts belonging to the i-vic employee (the “Incident”).The personal data affected included the individuals’ partial or full NRIC, date of birth, telephone number, email address, residential address, highest qualification, and employment details.

Further investigations found that i-vic had reasonable security measures in place to protect the personal data that it processes on behalf of e2i. i-vic had anti-virus protection, anti-phishing protection, regular anti-virus scans, security audits and conducted regular patches for its IT system. In fact, i-vic had existing anti-malware software which should have been able to detect the particular malware used in the Incident, but somehow failed to do so. After the Incident, i-vic purchased and deployed additional anti-malware software. Finally, the Commission found that i-vic had comprehensive policies and guidelines in place to protect personal data.

While i-vic had reasonable security arrangements in place to protect the personal data it processes, the Commission established that this was entirely on i-vic’s account and not because of e2i’s bidding. e2i had failed to stipulate any specific data protection requirements on i-vic in their contract. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. i-vic produced evidence of several occasions where e2i’s employees had sent personal data to i-vic without any encryption or protection, which was against e2i’s standard operating procedures.

Case No. DP-2106-B8424

A complainant alerted the Commission of a personal data breach involving e2i’s website on 21 June 2021. e2i's website had been designed in such a way that it would automatically populate and display all the data fields e2i had of an individual in its possession without the need for further authentication once an individual's NRIC number is keyed in to access e2i's website and register for a course, talk, or event. As a result, the personal data of 102,151 individuals was at risk of being disclosed.

The personal data affected included the individuals’ name, citizenship, union membership status, gender, race, education, employment information, work experience, background, health records, and other partially masked personal data including NRIC number, date of birth, email address, postal code and contact number.

As this personal data breach involving e2i's website occurred when the Commission was investing Case No. DP-2103-B8132, the Commission considered both cases involving e2i together.

Remedial Actions

After the incidents, as part of a remediation plan, e2i put in place the following measures which included:

(a) Strengthening its data protection governance with the assistance of an independent vendor;

(b) Engaging a professional company to conduct IT risk assessment audits on third-party vendors;

(c) Implementing a one-time password ("OTP") authentication for individuals using its website;

(d) Ensuring that i-vic has the necessary systems and processes in place to protect personal data;

(e) Tightening its vendor selection process'

(f) Enhancing its password protection policy;

(g) Enhancing its outlook system security;

 

(h) Made continuous effort to conduct regular staff training; and

 

(i) Masking personal data on its website

 

The Commission was also satisfied with the additional remedial actions undertaken by i-vic.

Undertaking

Having considered the circumstances of both cases, the Commission accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 10 March 2022 (the Undertaking).

The Commission accepted the Undertaking as it was satisfied that notwithstanding e2i’s failure to stipulate personal data protection requirements in its contract with i-vic, e2i had engaged i-vic on account of i-vic’s good personal data protection policies and processes.

For the personal data breach that affected e2i’s website, while the personal data of 102,151 individuals was at risk of being disclosed, the impact of the personal data breach was limited as e2i promptly took remediation action after being alerted by the Commission of the complaint received. e2i worked with its vendor to ensure that save for the last 4 digits of an individual’s contact number, the website no longer displayed any of the personal data fields of an individual. As part of the Undertaking, e2i eventually implemented an OTP authentication for individuals using its website.

 

The Commission accepted the Undertaking as this is consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected e2i’s website, where there is no evidence to suggest that there has been unauthorised access or data exfiltration.

e2i has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that e2i has complied with the terms of the Undertaking.

Please click here to view the Undertaking.