Background

TJ Assurance Partners PAC (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 12 March 2025 of a data breach involving an unauthorized access to one of the Organisation’s corporate email accounts. The Threat Actor (“TA”) subsequently used the compromised email account to send phishing emails to the Organisation’s clients (the “Incident”).

The Organisation established that the Incident occurred when a staff member fell victim to a phishing attack, enabling the TA to gain access to the mailbox of the compromised email account for about one hour. During the access period, the TA accessed a number of emails and used the mailbox to send phishing emails to contacts in the address book.

Based on the log analysis performed with Microsoft support, no file downloads were detected. The personal data was contained in email attachments within the email correspondence of the compromised mailbox, affecting 71 individuals. The affected personal data included full name, address, NRIC number, passport number, nationality, and financial information.

Upon discovery of the Incident, the Organisation took prompt remedial actions including:

(a) Notified recipients of the phishing emails purportedly sent out by the Organisation;

(b) Forced logout of all Microsoft 365 users across the Organisation to invalidate active sessions; and

(c) Reset the password and revoking the Microsoft 365 license associated with the compromised mailbox. 

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 26 June 2025.

As part of the Undertaking, the Organisation will be implementing the following including:

(a) Conduct phishing simulation exercise for employees and identify susceptible personnel;

(b) Schedule Annual Vulnerability Assessment and Penetration Testing (“VAPT”) for all internet-facing assets and internal systems;

(c) Implement Data Protection Management Programme (“DPMP”) including password policies and email data retention Standard Operating Procedures (“SOP”);

(d) Formalise breach response procedures; and

(e) Undergo Data Protection Trustmark (“DPTM”) audit and certification.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.