Background

On 30 January 2024, the Personal Data Protection Commission (the “Commission”) was notified by a complainant of an unauthorised disclosure of her personal data by Cantley LifeCare Pte. Ltd. (the “Organisation”) on its website. The complainant had discovered the unauthorised disclosure after conducting a Google search of her own email address (the “Incident”).

The Commission promptly conducted investigations and on 2 February 2024, the Organisation deleted the file containing its customers’ personal data which was publicly accessible on its website. The file was inadvertently placed in a public folder on the Organisation’s website following a website migration exercise in April 2021.

The personal data of 1,130 individuals, including their names, phone numbers, email addresses, addresses and transaction information, was affected.

The Organisation was found to be lacklustre in its cybersecurity and data protection practices. First, the Organisation engaged a freelancer for the website migration in April 2021 and did not emphasise the need for personal data protection in this exercise. Second, the Organisation failed to conduct periodic security reviews that could have detected the publicly accessible file on its website. Third, the Organisation also did not have any IT security-related policies such as backup policies, audits and access control policies. In addition, the Organisation did not have any personal data protection policies and internal guidelines for its employees that could have provided guidance when responding to a personal data breach.

Voluntary Undertaking

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 1 April 2024, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, the external service provider will assist the Organisation to first complete an initial set-up within 2 months. The initial set-up will include establishing an asset inventory for personal/business data, an IT asset inventory for hardware and software, developing an incident response and data breach management plan and implementing the necessary cybersecurity measures to protect personal data. After the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.  

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.