Background

Cycle & Carriage Industries Pte. Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 17 July 2025 of a personal data breach involving its Salesforce tenant platform (the “Incident”).

The Organisation established that the threat actor (“TA”) had accessed the Organisation’s Salesforce tenant platform on 12 July 2025, using the credentials of a compromised backend service account. There was no evidence of leakage of credentials due to compromised devices or mail servers. The compromised account was used to create a new system administrator account to create data export reports believed to contain the Organisation’s customers’ personal data.

The data breach affected 147,110 individuals and the types of personal data affected included a combination of basic contact details including names, addresses, email addresses, phone numbers and a small proportion of about 1,935 NRIC numbers. There was no evidence of public exposure or misuse of the affected personal data.

Upon discovery of the Incident, the Organisation took prompt remedial actions including enhancing all its user accounts, audits, management and review, and regular monitoring, review and enforcement of departmental retention periods for Salesforce and other cloud applications that store personal data. The Organisation also notified the affected customers.

The data breach had likely occurred as the Organisation had inadequate security measures prior to the Incident relating to the compromised backend service account, which was not consistently audited, managed and reviewed, and the password was not rotated. The Organisation also retained records containing personal data beyond their retention periods which were stored in a stand-alone legacy object in Salesforce. The Organisation had other protective measures in place including multi-factor authentication and had enforced password policies.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 23 January 2026.

As part of the Undertaking, the Organisation will be implementing the following including:

(a) Strengthening service account security through mandatory credential rotation, formal ownership assignments and preventing interactive logins;

(b) Implementing least-privilege access principles, restricting dormant accounts and establishing policies against persistent external access and credential sharing;

(c) IP whitelisting for corporate networks and token management with regular auditing for active sessions;

(d) Data retention compliance by regularly reviewing and enforcing departmental policies for personal data stored in Salesforce and similar cloud platforms;

(e) Security awareness training for administrators and developers; and

(f) Cybersecurity assessments of API source code and data protection impact assessment for Salesforce modules that process personal data.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction to ensure the Organisation’s compliance with the Undertaking.