Background

The Fire Safety Managers’ Association Singapore (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach on 17 April 2024 after its members received phishing emails purportedly sent by the Organisation (the “Incident”). The phishing emails contained the members’ NRIC number and invited the recipient to scan a QR code to receive credit card promotions and discounts, when the QR code was in fact an attempt by the threat actor to obtain the individual’s bank details.

Investigations revealed that the Organisation’s website contained vulnerabilities, which allowed the threat actor(s) to exfiltrate the personal data of the affected individuals. As a result of the Incident, the personal data of approximately 2,000 individuals, including their names, NRIC numbers, membership numbers, email addresses, and addresses, could have been exfiltrated by the threat actor(s).

The Organisation had engaged a vendor to develop its website in 2012 but did not take any steps thereafter to review whether the security arrangements for the website adequately protected its members’ personal data. The Organisation also admitted that it did not have a data protection officer (“DPO”) appointed.  

Remedial Actions

After the incident, the Organisation decommissioned its website.

Voluntary Undertaking

Having considered the circumstances of the case, in particular, the fact that the Organisation is a society run by volunteers, the Commission accepted a voluntary undertaking (the “Undertaking”) on 13 June 2024 from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, the external service provider will assist the Organisation to first complete an initial set-up within 2 months. The initial set-up will include the appointment and registration of a DPO with the Commission or the Accounting and Corporate Regulatory Authority (“ACRA”), establishing an asset inventory for personal/business data, an IT asset inventory for hardware and software, developing an incident response and data breach management plan and implementing the necessary cybersecurity measures to protect personal data. A review will then be conducted 6 months after the initial set-up to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.