Undertaking by MindChamps Preschool Limited

Background 

The Personal Data Protection Commission (the “Commission”) received information on 27 February 2020, informing that a dataset containing the personal data of the users of MindChamps Preschool Limited’s (“MindChamps”) mobile application was publicly accessible via an internet link. Personal data of approximately 6,521 individuals were affected, namely, email addresses, login passwords and mobile numbers. In addition, the birth certificate numbers of 607 minors were also at risk of unauthorised disclosure.

Remedial Actions

After the incident, as part of a remediation plan, MindChamps:

(a) engaged an external IT consultant to determine the cause of the incident; 
(b) performed a password reset for all the user accounts of its mobile application; and 
(c) migrated all users to a newly designed mobile application. 

Undertaking 

Having considered the circumstances of the case, including the remedial steps taken by MindChamps to improve its data protection practices, the Commission accepted an undertaking from MindChamps to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 7 January 2021 (the “Undertaking”). 

The Undertaking provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. In addition, MindChamps would also conduct training for its employees and ensure their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects.

MindChamps has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that MindChamps has complied with the terms of the Undertaking.

Please click here to view the Undertaking.