Academy of Medicine Singapore [2024] SGPDPCS 4

Case Details

• Citation: [2024] SGPDPCS 4
• Court: Personal Data Protection Commission
• Date: 2024-08-02
• Judges: Not specified in the judgment
• Plaintiff/Applicant: Not specified
• Defendant/Respondent: Academy of Medicine Singapore
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2023] SGPDPC 9, [2024] SGPDPCS 4
• Judgment Length: 12 pages, 2,075 words

Summary

The Personal Data Protection Commission (the "Commission") investigated a data breach incident involving the Academy of Medicine Singapore (the "Organisation"), a professional institution providing postgraduate medical education and specialist training in Singapore. The investigation found that the Organisation had breached the Protection Obligation under Section 24 of the Personal Data Protection Act 2012 (the "PDPA") by failing to make reasonable security arrangements to prevent unauthorized access, disclosure, and loss of personal data in its possession. As a result, the personal data of 6,574 individuals, including sensitive financial information, was exfiltrated and posted on the dark web. The Commission imposed a financial penalty of $9,000 on the Organisation and directed it to take specific remedial actions to address the identified security lapses.

What Were the Facts of This Case?

On 4 August 2023, the Commission was informed about a data breach incident involving the Organisation's servers being infected by ransomware on or about 13 July 2023. Consequently, personal data of 6,574 individuals had been exfiltrated and posted on the dark web (the "Incident").

The Organisation immediately disconnected the affected servers and sought an external IT forensic investigator to investigate the extent of the Incident and undertake remedial action. Investigations revealed that the leaked data included full credit card information of over 1,000 individuals, and a total of 4.4TB of files in the Organisation's servers had been encrypted due to ransomware deployment.

The investigation identified several lapses that contributed to the Incident, including: (a) the Organisation's firewall FortiOS had not been patched since July 2021 and was susceptible to a critical vulnerability; (b) the Endpoint Detection and Response (EDR) applications installed on the affected servers and devices did not detect and prevent the execution of malicious tools; (c) the affected servers had operating systems that had reached End-of-Life stages; (d) critical hosts and staff computers had not been regularly scanned for vulnerabilities; (e) there was a lack of essential threat detection solutions and proper logs retention; and (f) there was a lack of documented robust processes for regular patching and updates of important software.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached the Protection Obligation under Section 24 of the PDPA by failing to make reasonable security arrangements to protect the personal data in its possession or under its control.

Section 24(a) of the PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal, or similar risks.

How Did the Court Analyse the Issues?

The Commission found that the Organisation had breached the Protection Obligation under Section 24 of the PDPA in the following ways:

First, the Organisation lacked sufficiently robust processes for updating or upgrading important software or firmware, which resulted in vulnerabilities that were not removed in the Organisation's firewall and servers. The Commission determined that the Organisation's circumstances, such as onboarding a new IT vendor and conducting an IT infrastructure review, did not mitigate the lack of robust patch management procedures.

Second, the Organisation failed to have reasonable access control measures in place, particularly for the storage of sensitive financial information, such as credit card numbers with security codes, which were stored in plain text without password protection. The Commission highlighted that such data has a heightened risk of identity theft and financial loss, which calls for a higher standard of security arrangements.

Third, the Organisation failed to stipulate data protection requirements or clear job specifications in the contract of its IT vendor, specifically in the areas of IT system security management, maintenance, and security reviews. The Commission emphasized that where organisations rely on vendors to perform IT security-related services, the scope of these services must be clearly defined in the vendor contract as part of the data controller's duty under the Protection Obligation.

What Was the Outcome?

Based on the findings, the Commission determined that the Organisation had breached the Protection Obligation under Section 24 of the PDPA. In determining the appropriate financial penalty, the Commission considered the impact of the personal data breach on the affected individuals, the nature of the Organisation's non-compliance, and the mitigating factors.

The Commission found that the personal data of 6,574 individuals had been affected, including the financial information of 1,083 individuals that was leaked on the dark web. The Commission also noted that the Organisation had continued to deploy vulnerable servers with End-of-Life operating systems for more than 3 years.

As mitigating factors, the Commission considered that the Organisation was cooperative during the investigation, voluntarily admitted to the breach, and this was its first instance of non-compliance with the PDPA. Consequently, the Commission required the Organisation to pay a financial penalty of $9,000 within 30 days.

In addition, the Commission directed the Organisation to take specific remedial actions to ensure its compliance with the Protection Obligation, such as implementing robust patch management procedures, enhancing access controls for sensitive data, and stipulating data protection requirements in its vendor contracts.

Why Does This Case Matter?

This case is significant as it highlights the importance of organizations making reasonable security arrangements to protect personal data in their possession or under their control, as required by the PDPA. The case underscores the need for organizations to have robust processes in place for software and firmware updates, access controls, and vendor management to prevent unauthorized access, disclosure, and loss of personal data.

The Commission's decision serves as a valuable precedent for organizations in the healthcare and education sectors, which often handle sensitive personal data, including financial information. The case emphasizes that organizations must maintain a high standard of security for such data, commensurate with the heightened risk of harm to individuals. Failure to do so can result in significant financial penalties and reputational damage.

Furthermore, the case reinforces the Commission's stance on the importance of organizations actively managing their IT infrastructure and vendor relationships to ensure compliance with the PDPA. It sends a clear message that organizations cannot simply rely on their IT vendors to fulfill their data protection obligations, but must actively oversee and manage the security of their systems and the handling of personal data.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2023] SGPDPC 9
• [2024] SGPDPCS 4

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2024] SGPDPCS 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.