Background

On 12 July 2024, the Personal Data Protection Commission (the “Commission”) received a complaint from a concerned member of public against Giveback Coffee Co. Pte. Ltd. (the “Organisation”) who discovered from search engine results that the Organisation’s web directory was misconfigured and made publicly accessible. 5 spreadsheet files containing the personal data of 32,925 individuals, including their name, email address, postal code, and details relating to their orders such as the items purchased, cost, and shipping information were publicly accessible (the “Incident”).

Investigations revealed that an administrator user had triggered the generation of the files to analyse customer orders made through the Organisation’s website, which were subsequently stored in the web directory.

Remedial Actions

Upon discovery of the Incident, the Organisation took prompt remedial actions including reviewing the server configuration, removing the files, and engaging data protection and cybersecurity consultants to review its existing processes.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 23 August 2024.

As part of the Undertaking, the Organisation will:

(a) Engage an external vendor to develop a new website to replace its existing website, with requirements for the external vendor to implement relevant security measures;

(b) Implement annual vulnerability assessment and penetration testing on its e-commerce web application and cloud architecture; and

(c) Review its existing processes and develop a Data Protection Management Programme with the assistance of external cybersecurity and data protection consultants.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.