Undertaking by J Rental Centre Pte Ltd
Background
On 12 September 2022, the complainant informed the Personal Data Protection Commission (the “Commission”) that he was able to view the identification documents of other individuals by sequentially changing the numerical digits of a link from J Rental Centre Pte. Ltd’s (the “Organisation”) website.
Investigations revealed that the Organisation had engaged an overseas vendor to design its website and the website was launched sometime in 2018 to 2019. Although the Organisation envisaged that the website would store and process personal data, the Organisation admitted that it did not conduct any security testing on the website prior to its launch.
Accordingly, the personal data (NRICs, student identification cards and bills) of approximately 300 individuals was at risk of unauthorised access and disclosure.
The Commission found the Organisation lacklustre in its cybersecurity and data protection practices, as the Organisation should have but failed to test its website for security vulnerabilities prior to its launch or at regular intervals thereafter.
Remedial Actions
After the incident, the Organisation took prompt remedial action to prevent further unauthorised access or disclosure.
Voluntary Undertaking
Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies on 9 November 2022.
As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.
The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.