Background

The Personal Data Protection Commission (the “Commission”) was notified by C M R (Far East) Pte Ltd (the “Organisation” or “CMR”) on 28 June 2022 of a personal data breach involving the unauthorised access of personal data (the “Incident”).

While the exact cause of the breach could not be determined, the malicious actor encrypted the Organisation’s files containing the personal data of 57 individuals who were the Organisation’s current or ex-employees. The types of personal data affected included the name, address, email address, date of birth, NRIC/FIN number, contact number, salary and bank account details.

Upon discovery of the Incident, CMR had taken prompt remedial actions including moving to a cloud-based system with secure back up.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 12 December 2022.

As part of the Undertaking, CMR will be implementing the following:

(a) Engage a Data Protection consultant to assist in developing a comprehensive written data protection and IT policy;

(b) Upgrade its IT system;

(c) Carry out Vulnerability Assessment and Penetration Testing (VAPT) on the upgraded IT system to identify and help address any potential cyber security vulnerabilities; and

(d) Obtain the Data Protection Trustmark (DPTM) certification.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.