Undertaking by Ready Digital Pte Ltd

Background

Ready Digital Pte. Ltd. ("RDPL") notified the Personal Data Protection Commission (the "Commission") on 17 October 2024 of a cyberattack where personal data had been deleted from their backup database in the development server (“Affected Database”) located on-premise (the “Incident”).

RDPL established that the threat actor (“TA”) had exploited an open port on a development server intended for remote access. This port was misconfigured by PT Ekasa Teknologi Nusantata, RDPL's outsourced developer in Indonesia, which granted remote access permissions from any IP address. Although login credentials were in place for the development server, the TA was able to access the Affected Database directly via the open port as there were no login credentials in place for the Affected Database. 

The Incident affected 155 individuals’ personal data, including:

(a) 58 Customers (Seniors): Name, Last 4 characters of NRIC, Contact number, Address, Next-of-Kin (“NOK”) Contact, Relationship with NOK;

(b) 89 NOK and Known CareGivers: Name, Contact Number; and

(c) 8 Current and Former Employees: Name, Contact Number.

Upon discovery of the Incident, RDPL took immediate remedial actions including isolating the compromised system, blocking external access, closing the open port, changing server access credentials, conducting malware scans, enhancing database security with additional access controls, and restoring the Affected Database from the unaffected Production database. 

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from RDPL to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 21 May 2025.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Implement comprehensive Vendor Management Policy.

(b) Provide staff with training on network security.

(c) Update security policies with periodic reviews.

(d) Obtain the Cyber Security Agency of Singapore’s Cyber Essential Mark Certification by October 2025.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.