Background 

In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port.

The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed.

Remedial Actions

After the incident, as part of a remediation plan, the Organisation implemented the following:

(a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder;

(b) Review the classification of information in its asset register at least once a year;

(c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012;

(d) Conduct adequate internal tests and penetration tests; and

(e) Embark on ISO27001 implementation with an external consultant.

Undertaking 

Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”).

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.

Please click here to view the Undertaking.