Background

Nippon Paint (Singapore) Co Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 29 April 2024 of a data security incident where the personal datasets posted on the dark web corresponded to datasets in a file belonging to the Organisation (the “Incident”).

The Organisation established that the Threat Actor (“TA”) exploited vulnerabilities in the plug-ins utilised for the Organisation’s e-commerce platform, allowing the TA to exfiltrate personal data from its servers and systems supporting the platform. Furthermore, it was found that one plug-in generated and hosted a file on the Organisation’s server that matched with the compromised data on the dark web. The plug-ins had been removed by the time of the notification to the Commission.

A total of 13,695 individuals were affected. The affected personal data comprised names, contact numbers, addresses, and email addresses.

Upon discovery of the Incident, the Organisation took prompt remedial actions including resetting its administrative password, limiting the storage of personal data to only customers’ email addresses used to receive one-time passwords for log-in purposes, and strengthening user access control for customers’ and administrative accounts by implementing two-factor authentication (“2FA”).

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 28 August 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Ensuring that data stored on the e-commerce platform is kept to a minimum.

(b) Implementing 2FA for customers’ and administrative accounts.

(c) Performing penetration tests every 3 months.

(d) Reviewing existing contracts with vendor to include relevant data protection clauses that clearly set out the obligations and responsibilities of all parties.

(e) Applying for the Data Protection Trustmark certification.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.