Background

The Oddle Company Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 27 March 2024 of a data security incident that had occurred on 25 March 2024 in which their customers’ personal data was disclosed without authorisation (“Incident”).

The Organisation established that the Incident was a result of unauthorised access to an internal employee account whereby the threat actor (“TA”) installed malicious code snippets on the checkout pages of certain merchants. This malicious code would load a third-party JavaScript script, which, when detecting a mobile browser, would hide the legitimate payment input form and layer a separate set of input fields on top of the legitimate payment input form.

As a result of the Incident, the personal data of 7,358 individuals, from Singapore, Taiwan, Malaysia, and Hong Kong, was affected. The types of personal data affected included a combination of the full name, personal email address, contact number, and full credit card information.

Upon discovery of the Incident, the Organisation took prompt remedial actions including the notification of all affected individuals, and the review of the code base to ensure no secret key is stored in the repository. Additionally, the Organisation would verify all scripts before they are allowed to go live and would also detect and monitor new IP addresses.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 29 August 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Implement IP whitelisting for all customers’ login to reduce risk of unauthorised access from unknown IP addresses.

(b) Implement 2-factor authentication (“2FA”) using external devices.

(c) Verify all custom scripts before being enabled to prevent addition of malicious scripts.

(d) Enforce 2FA by email for all customers’ login to the internal admin dashboard.

(e) Detect and monitor new and anomalous IP addresses.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.