Undertaking by Citizen Watches (H.K.) Ltd

Background

The Singapore branch of Citizen Watches (H.K.) (the “Organisation”) Limited notified the Personal Data Protection Commission (the “Commission”) on 26 April 2024 of a data breach incident where a threat actor had allegedly gained unauthorised access to its membership database that subsequently led to the exposure of the personal data of 8,126 individuals on the dark web (the “Incident”).

Investigations revealed that the threat actor gained access to the Organisation’s membership database via its website for registered members (the “Members Website”) on or around 24 April 2024. This was likely due to the lack of implementation of a password for the administrator account for the Members Website. The Members Website had not been tested for vulnerabilities before it went to production in August 2018. For clarity, the Members Website had been launched by the Organisation to cater to the region’s membership campaign and was not affiliated to the brand’s official websites which had not been affected by the Incident.

The Incident affected the personal data of 8,126 individuals that included their names, telephone numbers, personal email addresses, members account passwords, date of birth, country region, job industry and income range.

The Organisation was found to be lacklustre in its cybersecurity and data protection practices, including failing to implement password protection for privileged accounts and failing to carry out proper testing of and subsequent security reviews of its Member Website. In addition, there was no proper documentation for password policies, IT security policies and data protection policies.

Remedial Actions

After the Incident, the Organisation implemented the following:

(a) Engaged a third party to conduct digital forensic investigations and incident response;

(b) Permanently shut down the Members Website; and

(c) Deleted the entire membership database.

Voluntary Undertaking

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 5 November 2024, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, the external service provider will assist the Organisation to first complete an initial set-up within 2 months. The initial set-up will include establishing an asset inventory for personal/business data, an IT asset inventory for hardware and software, developing an incident response and data breach management plan and implementing the necessary cybersecurity measures to protect personal data. A review will then be conducted 6 months after the initial set-up to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.