Undertaking by Success Human Resource Centre Pte Ltd

Background

The Personal Data Protection Commission (the “Commission”) received a complaint about a personal data breach involving Success Human Resource Centre Pte Ltd (the “Organisation”) on 30 May 2023. The complainant informed the Commission that he was able to access the Organisation’s attendance tracking system, which disclosed the names and mobile numbers of other individuals, by manipulating the numerical suffix of the Organisation’s webpage URL (the “Incident”). About 30,000 individuals were potentially affected.

Investigations revealed that the cause of the breach was due to inadequate web disk space on the webhost and unaddressed errors in the coding script. Upon being alerted, the Organisation immediately took down the URL. 

Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 11 September 2023.

As part of the Undertaking, the Organisation put in place the following measures:

(a) Fixed all coding flaws and structural issues on the system.

(b) Upgraded the web disk space and implemented 2FA.

(c) Implemented best practices for secure Identity Access Management (IAM).

(d) Implemented clear vendor management and account responsibilities processes.

(e) Developed a vulnerability disclosure policy and established a clear process for incident management

The Commission was satisfied with and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation.

The Organisation has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with the terms of the Undertaking.

Please click here to view the Undertaking.