Undertaking by Flex-Solver Pte Ltd

Background

Flex-Solver Pte Ltd (the “Organisation”), a Singapore-based technology consultant and solution provided company, notified the Personal Data Protection Commission (the “Commission”) on 22 April 2024 that its customers had received phishing emails from the Organisation’s email address.

The threat actor managed to gain unauthorised access to the name, address, email address, telephone number and order information of up to 15,812 individuals (the “Incident”) after successfully compromising the password for the affected email account through a brute force attack. Investigations revealed that at the time of the Incident, a weak password was being used for the affected email account.

Upon discovering the Incident, the Organisation took prompt remdial actions. This included triggering a password reset to logout all unauthorized access, notifying all potentially affected individuals about the phishing emails, and enabling two-factor authentication (“2FA”) for the affected email account.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 5 August 2024.

s part of the Undertaking, the Organisation will be implementing the following:

(a) Adopt stronger password controls implementing 2FA for all user accounts;

(b) Implement account lockout policies to limit brute force attack and setting up a system alert for suspicious login activity;

(c) Enhance current cybersecurity training by increasing the frequency of training;

(d) Carry out regular cybersecurity incident drill;

(e) Reinforce periodic checks on antivirus software installed on work devices;

(f) Review password practice annually; and

(g) Maintain a list of blacklisted password(s).

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.