Background

On 16 March 2023, PDPC was notified by a complainant of the disclosure of personal data of over 900 respondents on a Google Form used by J&W Premium and Exclusive Pte Ltd (the “Organisation”) to register the warranty for TCL Electronics’ products. The complainant first reported the issue to the Organisation on 19 December 2022 and subsequently lodged a complaint with PDPC after realizing that the Google Form remained publicly accessible online (the “Incident”).

Investigation revealed that the Organisation did not configure the correct privacy settings for the Google Form and only rectified the error upon notification of the Incident by PDPC.

As a result of the Incident, the personal data of approximately 1,337 individuals, including their name, phone number, email address and age range, was affected.

Investigation revealed that the Organisation lacked sufficiently robust processes to protect personal data. The Organisation did not conduct pre-launch testing and did not have any password or patch/change management policy. It also did not carry out any data protection training for its staff.

Remedial Actions

After the incident, the Organisation took prompt remedial actions by doing the following:

(a) Decommissioned its website;

(b) Established a monthly routine checklist on security configurations; and

(c) Implemented three layers of checks, verification and testing procedures.

Voluntary Undertaking

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 30 May 2023, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.