In more detail
In both of the mentioned undertakings, the relevant organizations notified the PDPC of personal data breaches, one of which involved unauthorized access to a database through SQL injection via a membership portal and another that involved a ransomware attack on company servers, resulting in an exfiltration of files and publishing of personal data on the dark web.
Investigations revealed that the causes behind the incidents include the following:
- System vulnerability to SQL injections, in particular a lack of adequate data validation and parameterized queries as security features allowing the threat actor to bypass other implemented security measures
- Lack of procedures for decommissioning IT assets and deleting data, resulting in personal data remaining on a network storage location long after data migration
- An inadequate password policy
- No documentation for regular reviews of firewall rules and patch management
Upon discovering the incidents, both organizations took remedial actions, including the following:
- Identifying root causes and implementing mitigation measures to block unauthorized access and prevent further data exposure
- Resetting all administrator passwords to deny access to all unauthorized users
- Immediately patching the identified SQL injection vulnerability and other related security gaps
- Conducting security configuration to enable the SQL injection protection rules within the web application firewall
- Notifying all affected individuals
- Deleting migrated data permanently
- Updating the data protection policy and conducting staff training on the updated policy
- Conducting refresher training on IT security for all staff
As part of the undertakings, the organizations will be implementing further remedial actions, including upgrading data encryption methods to industry-compliant standards, conducting regular cybersecurity training and preparing a comprehensive suite of cybersecurity training materials, among others.
The PDPC has stated that it will verify the organizations' compliance with the undertakings and, if necessary, issue a direction to ensure the organizations' compliance.
Key takeaways
The PDPC's regular publishing of the voluntary undertakings it accepts illustrates its continued monitoring of data breaches that occur in Singapore. All companies should ensure their compliance with all applicable requirements under the Personal Data Protection Act 2012. It is important to note the causes of other data breach incidents and the remedial actions that have been taken in response to such incidents, as these remedial measures can be typically considered as a best practice for minimizing data breach incidents and heightening compliance with data protection laws.
If you would like to find out more about such best practices and what you can do to prevent a data breach, please feel free to reach out to your Baker McKenzie contact.
* * * * *
© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
