Background

Bridgetek Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 16 January 2025 of a personal data breach involving a ransomware attack that had impacted the Organisation’s infrastructure, comprising their servers across Singapore and overseas offices (the “Incident”). All personal data resided on the Singapore servers.

The Organisation established that the threat actor (“TA”) had likely gained access to the Organisation’s system through a research and development device which required importing of development tools and reference software from external sources, creating a potential entry point for the ransomware. Malware was detected by the Organisation’s antivirus programme on this device. This vulnerability in the development environment, combined with insufficient network segmentation, ultimately led to the system-wide compromise.

The TA encrypted the Organisation’s files containing the personal data of approximately 300 individuals who were the Organisation’s current and former employees (201 individuals) and customers (less than 100 individuals). The types of employee personal data affected included name, email address, contact number, residential address, NRIC number, bank account number, personal CV, passport details and birth certificate details. For customers, only basic contact information was affected, including name, email address, shipping address and contact number.

Upon discovery of the Incident on 17 December 2024, the Organisation took prompt remedial actions including isolating all servers, disconnecting VPN tunnelling between offices and cutting off internet connection. 

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 5 December 2025.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Network isolation of all research computers on a separate network with IT-controlled segmentation rules preventing communication between networks

(b) Removal of administrator rights from all users and restriction of program installation to IT personnel only

(c) Implement 2FA/MFA for privileged account

(d) Replace antivirus solution with antivirus/EDR solution

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction to ensure the Organisation’s compliance with the Undertaking.