Undertaking by iCuisto Pte Ltd

Background

iCuisto Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 27 November 2023 of the deletion of its users’ personal data that was stored on its staging server (the “Incident”). The Organisation is the start-up behind a kitchen and meal-planning application called “KitchenPal”. The personal data which included the name, email address, photograph, gender and date of birth of 95,713 individuals was affected.

Investigations suggest that a threat actor (“TA”) gained access to the Organisation’s staging server through either (a) a brute force attack on the login credentials used to access the staging database; or (b) the login credentials used by its developers that were compromised.

Upon discovering the Incident, the Organisation took prompt remedial actions. This included resetting the login credentials, decommissioning the compromised port and switching to another secure port, ceasing the transfer of personal data into the Organisation’s staging environment for future developments and activating 2FA for access.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 3 June 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Adopt stronger password controls by using an online password generator, implementing 2FA and introducing separate credentials for different developers;

(b) No longer exporting personal data to its staging environment and exploring the possibility of encrypting its database; and

(c) Sharing the PDPA guidelines with new developers to improve security at the time of onboarding.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.