Background

On 13 February 2025, Noel Gifts International Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a threat actor (“TA”) had gained unauthorised access to the web management consoles belonging to the Organisation and its subsidiary. This led to exfiltration of the personal data contained within the web management consoles (the “Incident”).

The Organisation established that the TA had likely gained access to both web management consoles by exploiting login credentials belonging to one of the authorised accounts which allowed the TA to access the Sales Report function within.

The TA then exfiltrated files containing personal data of approximately 200,000 former and existing customers belonging to the Organisation and its subsidiary. Only the personal email addresses of customers used to facilitate the sending of order confirmation had been affected in this Incident.

Upon discovery of the Incident, the Organisation took prompt remedial actions including, but not limited to, enhancing their password requirements across all accounts, introducing email based one-time password authentication, implementing account lockout and comprehensive login activity to monitor and track all system-access attempts, including management consoles and conducting a thorough review of management console access permissions, with access rights revised based on a need-to basis.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 29 May 2025.

As part of the Undertaking, the Organisation will implement the following:

(a) Additional multi-factor authentication for administrative accounts to servers and systems with internet facing user accounts;

(b) Review and update business, workflow and security policies and operational procedures, including a data retention policy;

(c) Re-train employees on cybersecurity and data protection;

(d) Conduct vulnerability assessment and penetration testing for all systems, network and target vectors;

(e) Assess the feasibility and requirements to obtain the Commission’s Data Protection Trustmark Certification; and

(f) Review and enhance incident response plan with assistance from external party to better handle cybersecurity and data breach incidents.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.