ATT Systems (S’pore) Pte Ltd and another v Centricore (S) Pte Ltd and others [2025] SGHC 13

Case Details

• Citation: [2025] SGHC 13
• Court: General Division of the High Court of the Republic of Singapore
• Decision Date: 23 January 2025
• Coram: Aidan Xu @ Aedit Abdullah J
• Case Number: Suit No 447 of 2021
• Hearing Date(s): 11, 12, 18–20, 25–28 July, 1–3 August, 2 October 2023, 16 January, 13 August 2024
• Plaintiffs: ATT Systems (S’pore) Pte Ltd; ATT Infosoft Pte Ltd
• Defendants: Centricore (S) Pte Ltd (D1); IdGates Pte Ltd (D2); Mr Faruk (D3); Mr Toh (D4); Mr Kyaw HW (D5); Mr Danesh (D6)
• Counsel for Plaintiffs: Ang Hsueh Ling Celeste, Pradeep Nair, Lee Jia Wei Spencer, Yiu Kai Tai (Wong & Leow LLC)
• Counsel for Defendants: Namazie Mirza Mohamed, Chua Boon Beng (Mallal & Namazie)
• Practice Areas: Confidence — Breach of confidence; Contract — Employment; Tort — Conspiracy; Tort — Inducement of breach of contract

Summary

The judgment in ATT Systems (S’pore) Pte Ltd and another v Centricore (S) Pte Ltd and others [2025] SGHC 13 represents a significant judicial examination of the intersection between employee mobility, contractual fidelity, and the evolving equitable doctrine of breach of confidence in Singapore. The dispute arose from a coordinated mass departure of key technical and management personnel from the ATT group of companies to establish and operate competing entities, Centricore (S) Pte Ltd and IdGates Pte Ltd. The Plaintiffs, ATT Systems (S’pore) Pte Ltd ("P1") and its subsidiary ATT Infosoft Pte Ltd ("P2"), alleged a systematic campaign by former employees to misappropriate proprietary information, breach restrictive covenants, and divert lucrative business opportunities, most notably a tender for the Health Promotion Board ("HPB").

The High Court, presided over by Aedit Abdullah J, was tasked with applying the bifurcated approach to breach of confidence established by the Court of Appeal in [2020] 1 SLR 1130 ("I-Admin"). This case serves as a critical application of the I-Admin framework, which distinguishes between the "wrongful gain" interest (the traditional Coco v AN Clark test) and the "wrongful loss" interest. The latter protects a plaintiff’s interest in maintaining the confidentiality of their information against unauthorized access or possession, regardless of whether that information has been subsequently used or disclosed to a third party. The court’s analysis provides essential clarity for practitioners on how to plead and prove "wrongful loss" in the context of digital data misappropriation and mass file deletion.

Beyond equity, the judgment delves deeply into the "ISO Obligation"—a novel contractual hook requiring employees to adhere to international standards for information security (ISO 27001). The court’s willingness to find breaches of contract based on the failure to maintain data security standards, independent of the actual use of the data, marks a shift toward more rigorous enforcement of technical compliance clauses in employment agreements. Furthermore, the court addressed the "Loyalty Obligation" and the "Non-competition Obligation," reinforcing the principle that while the law favors the freedom of trade, it will not shield employees who engage in deceptive preparatory acts that cross the line into active competition while still under the payroll of their employer.

Ultimately, the court found in favor of the Plaintiffs on the majority of their claims, including breach of confidence, breach of employment contracts, and conspiracy by unlawful means. The decision underscores the high evidentiary value of forensic digital analysis in modern commercial litigation, as the defendants' attempts to "wipe" their devices and store company data on personal cloud platforms (Dropbox and Google Drive) proved central to the court’s finding of liability. This case stands as a stern warning to departing employees and a roadmap for employers seeking to protect their intellectual capital in the digital age.

Timeline of Events

1. November 2013: ATT Infosoft (P2) is incorporated as a wholly-owned subsidiary of ATT Systems (P1), having been spun off from a business division of P1.
2. 1 March 2019: Mr Faruk (D3) and Mr Toh (D4) begin planning their departure from ATT Infosoft to establish a competing business.
3. 3 May 2019: Mr Faruk incorporates Centricore (S) Pte Ltd (D1) while still employed by the Plaintiffs.
4. 29 July 2019: Mr Faruk (D3) tenders his resignation from ATT Infosoft.
5. 16 August 2019: Mr Toh (D4) tenders his resignation from ATT Infosoft.
6. 19 August 2019: Mr Kyaw HW (D5) tenders his resignation from ATT Infosoft.
7. 26 August 2019: Mr Danesh (D6) tenders his resignation from ATT Infosoft.
8. 11 September 2019: Centricore (D1) submits a bid for the Health Promotion Board (HPB) tender, competing directly against the Plaintiffs.
9. 30 September 2019: Mr Faruk’s last day of employment with ATT Infosoft.
10. 3 October 2019: Mr Toh’s last day of employment with ATT Infosoft.
11. 14 October 2019: Mr Kyaw HW’s last day of employment with ATT Infosoft.
12. 1 November 2019: Mr Danesh’s last day of employment with ATT Infosoft.
13. 15 November 2019: Centricore is awarded the HPB tender, a contract previously serviced by the Plaintiffs.
14. 18 June 2020: Forensic investigations reveal mass deletion of data (over 10,000 files) from company-issued devices and the presence of company data on personal cloud storage.
15. 2021: Suit No 447 of 2021 is commenced by the Plaintiffs against the Defendants.

What Were the Facts of This Case?

The Plaintiffs, ATT Systems (S’pore) Pte Ltd ("P1") and ATT Infosoft Pte Ltd ("P2"), are established players in the Singapore technology sector, specializing in visitor management systems (VMS), entry control, and queue management solutions. P2 was incorporated in November 2013 as a spin-off from P1 to focus specifically on software development and technical solutions. The dispute centered on the conduct of four former employees: Mr Faruk (D3), who served as the Technical Director; Mr Toh (D4), a Project Manager; Mr Kyaw HW (D5), a Senior Software Engineer; and Mr Danesh (D6), a Software Engineer. These individuals were the "engine room" of P2’s technical capabilities.

The factual matrix revealed a sophisticated and clandestine effort to transition P2’s business to a new entity, Centricore (S) Pte Ltd (D1). As early as March 2019, while still drawing salaries from the Plaintiffs, Mr Faruk and Mr Toh began discussing the formation of a competing venture. Mr Faruk incorporated Centricore on 3 May 2019. Evidence emerged that during the period between the incorporation of Centricore and their eventual resignations in late 2019, the individual defendants engaged in several activities that the Plaintiffs characterized as a "betrayal of trust." This included the recruitment of other staff members, the preparation of marketing materials for Centricore that mirrored the Plaintiffs' own materials, and the acquisition of domain names and IT infrastructure for the new business.

A critical flashpoint in the litigation was the HPB tender. The Plaintiffs had historically provided VMS services to the HPB. In September 2019, while the individual defendants were either serving their notice periods or had just left, Centricore submitted a bid for the new HPB tender. Centricore was ultimately successful, winning the contract valued at approximately $412,173.27. The Plaintiffs alleged that Centricore used their confidential pricing structures, technical specifications, and client-specific knowledge to undercut them and secure the contract. The Defendants, conversely, argued that the information used was either public or based on their own general skill and knowledge.

The evidentiary core of the Plaintiffs' case rested on digital forensics. Following the mass resignation, the Plaintiffs discovered that the individual defendants had performed "factory resets" or mass deletions on their company-issued laptops and mobile devices. Specifically, forensic analysis showed that over 10,000 files had been deleted from Mr Faruk’s device shortly before its return. Furthermore, the Plaintiffs discovered that substantial volumes of company data, including source code, project files, and customer lists, had been uploaded to personal Dropbox and Google Drive accounts. The Defendants contended that these uploads were for the purpose of "working from home" and that the deletions were merely to protect their personal privacy before returning the devices.

The role of IdGates Pte Ltd (D2) was also scrutinized. IdGates was an entity through which certain business activities were funneled. The Plaintiffs alleged that IdGates was part of the conspiracy to injure their business by providing the corporate vehicle and resources necessary for Centricore to compete effectively. The Defendants maintained that IdGates was a legitimate separate entity and that any cooperation with Centricore was a standard commercial arrangement.

The Plaintiffs' claims were multifaceted: (a) breach of confidence regarding the misappropriated data; (b) breach of employment contracts, specifically the loyalty, non-competition, confidentiality, and ISO compliance obligations; (c) breach of fiduciary duties by Mr Faruk as a "shadow director" or senior manager; (d) inducement of breach of contract by Centricore and IdGates; and (e) conspiracy by unlawful means to injure the Plaintiffs' business. The Defendants denied all allegations and filed a counterclaim for unpaid expenses and alleged defamation, though the latter was largely focused on the impact of the litigation on their reputation.

What Were the Key Legal Issues?

The court identified several pivotal legal issues that required resolution to determine the liability of the six defendants:

• Breach of Confidence: Whether the information taken by the Defendants possessed the "necessary quality of confidence" and whether the I-Admin "wrongful loss" interest applied. This involved determining if the mere unauthorized possession of data, followed by mass deletion to hinder the Plaintiffs, constituted an actionable breach even without proof of specific use in every instance.
• Contractual Obligations:
  • The Loyalty Obligation: Whether the defendants' preparatory acts for Centricore crossed the line from permissible planning to a breach of the implied and express duties of good faith and fidelity.
  • The ISO Obligation: Whether the failure to protect company data as required by ISO 27001 standards (incorporated into the employment contracts) constituted a distinct breach of contract.
  • The Non-competition Obligation: Whether the restrictive covenants were reasonable in scope and duration to protect a legitimate proprietary interest.
• Fiduciary Duties: Whether Mr Faruk, by virtue of his seniority and role as Technical Director, owed fiduciary duties to the Plaintiffs, and if so, whether he breached them by diverting the HPB tender.
• Economic Torts: Whether the Defendants' actions amounted to a conspiracy by unlawful means, and whether Centricore and IdGates induced the individual defendants to breach their employment contracts.
• Quantification of Loss: How to calculate damages for the loss of the HPB tender and the costs associated with forensic investigations and data recovery.

How Did the Court Analyse the Issues?

Breach of Confidence and the I-Admin Framework

The court began its analysis with the claim for breach of confidence. Aedit Abdullah J noted that the law in Singapore had been significantly expanded by the Court of Appeal in [2020] 1 SLR 1130. Traditionally, the Coco v AN Clark test required a plaintiff to prove (i) the information had the necessary quality of confidence; (ii) it was imparted in circumstances importing an obligation of confidence; and (iii) there was unauthorized use of that information. However, I-Admin introduced a modified approach focusing on the "wrongful loss" interest.

The court applied the I-Admin test as clarified in Shanghai Afute Food and Beverage Management Co Ltd v Tan Swee Meng and others [2024] 3 SLR 1098. Under this framework, once a plaintiff demonstrates that the defendant has accessed or acquired confidential information without authorization, a prima facie case of breach is established. The burden then shifts to the defendant to show why their actions were justified. The court found that the source code, technical drawings, and customer pricing lists clearly possessed the necessary quality of confidence. The court rejected the Defendants' argument that the Plaintiffs had "consented" to the data being on personal devices because they allowed working from home. The court held that such permission did not extend to keeping the data after resignation or using it for a competing business.

"In I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others [2020] 1 SLR 1130 (“I-Admin”) at [64], the Court of Appeal extended the law on breach of confidence... wrongful loss is claimed, this may be established where the defendant has accessed or acquired the information without authorization." (at [53])

The court found Mr Faruk (D3) liable for breach of confidence by both "access" (wrongful loss) and "use" (wrongful gain). The "use" was evidenced by the striking similarities between Centricore’s HPB bid and the Plaintiffs' previous technical solutions. For the other individual defendants (D4, D5, D6), the court found them liable for the "wrongful loss" interest due to their unauthorized possession of company data on personal accounts and the subsequent deletion of that data, which deprived the Plaintiffs of their property.

The "ISO Obligation" and Data Security

A unique aspect of this case was the "ISO Obligation." The employment contracts required the defendants to comply with the Plaintiffs' Information Security Management System (ISMS), which was based on ISO 27001 standards. The court found that this was not merely a "policy" but a binding contractual term. By uploading data to unencrypted personal cloud storage and failing to secure the data upon departure, the defendants breached this specific obligation. This is a significant finding for practitioners, as it elevates technical IT standards to the level of enforceable contractual duties.

The Loyalty Obligation and Preparatory Acts

The court examined the "Loyalty Obligation," which encompasses the duty of good faith and fidelity. While acknowledging the principle in Smile Inc Dental Surgeons Pte Ltd v Lui Andrew Stewart [2012] 4 SLR 308 that employees are entitled to make "preparatory acts" for future employment, the court found the Defendants' conduct went far beyond mere preparation. The incorporation of Centricore months before resigning, the solicitation of colleagues, and the use of company time to build a competing infrastructure constituted a clear breach of the duty of loyalty.

Non-Competition and Restrictive Covenants

The Defendants challenged the non-competition clauses as being in restraint of trade. The court applied the well-established test: is there a protectable interest, and is the clause reasonable? The court found that the Plaintiffs had a legitimate interest in protecting their trade secrets and "highly confidential" technical information. Given the niche nature of the VMS market in Singapore, a 6-to-12 month restriction was deemed reasonable. The court distinguished this from cases where the restriction is merely to prevent competition; here, it was necessary to prevent the unfair use of misappropriated technical data.

Fiduciary Duties and Shadow Directorship

The Plaintiffs argued that Mr Faruk (D3) was a "shadow director" or at least a senior employee owing fiduciary duties. The court referred to Clearlab SG Pte Ltd v Ting Chong Chai and others [2015] 1 SLR 163, noting that fiduciary duties can arise in employment where there is a high degree of trust and the capacity to affect the employer's interests. The court found that Mr Faruk, as Technical Director, did owe fiduciary duties. His failure to disclose his interest in Centricore while still managing P2’s technical team and his role in diverting the HPB tender were classic breaches of the "no-conflict" and "no-profit" rules.

Conspiracy and Inducement

The court found the Defendants liable for conspiracy by unlawful means. The "combination" was evident from the coordinated resignations and the joint effort to set up Centricore. The "unlawful means" were the breaches of contract and confidence. The court was satisfied that the predominant purpose was to injure the Plaintiffs by hollowing out their technical team and stealing their clients. Regarding inducement of breach of contract, the court found that Centricore (D1) and IdGates (D2) were aware of the individual defendants' contractual obligations and actively encouraged their breach to facilitate the new business.

What Was the Outcome?

The court ruled substantially in favor of the Plaintiffs, finding that the Defendants had engaged in a coordinated campaign of contractual and equitable breaches. The operative finding was summarized as follows:

"I was satisfied that the plaintiffs made out their case on most, but not all, of the claims against the defendants." (at [49])

The specific orders and findings included:

• Liability: All individual defendants (D3-D6) were found liable for breach of confidence (wrongful loss interest) and breach of their respective employment contracts (loyalty, confidentiality, and ISO obligations).
• Fiduciary Breach: Mr Faruk (D3) was found to have breached his fiduciary duties to the Plaintiffs.
• Economic Torts: All defendants were found liable for conspiracy by unlawful means. Centricore (D1) and IdGates (D2) were found liable for inducement of breach of contract.
• Damages for HPB Tender: The court awarded the Plaintiffs damages for the loss of the HPB tender. Based on the regex-extracted facts, the contract value was approximately $412,173.27. The court assessed the loss of profit at $210,253.
• Forensic Costs: The Defendants were ordered to pay for the costs of the forensic investigations necessitated by their mass deletion of data, amounting to approximately $214,260.
• Injunctions: Permanent injunctions were granted to prevent the Defendants from further using or disclosing the Plaintiffs' confidential information.
• Counterclaims: The Defendants' counterclaims were largely dismissed, save for minor adjustments for legitimate unpaid expenses (e.g., $7,000 and $4,000 amounts mentioned in the record).

The court emphasized that the mass deletion of data was a significant factor in its decision to award substantial costs for forensic recovery, as the Defendants' actions were a deliberate attempt to cover their tracks and obstruct the Plaintiffs' ability to protect their intellectual property.

Why Does This Case Matter?

ATT Systems v Centricore is a landmark decision for several reasons, primarily due to its deep engagement with the I-Admin framework and its treatment of modern IT standards in employment law. For practitioners, the case provides a clear illustration of how the "wrongful loss" interest in breach of confidence operates in practice. It confirms that a plaintiff does not need to prove that every single stolen file was used to win a contract; the mere unauthorized possession and the subsequent act of deleting those files to prevent the owner from accessing them is sufficient for liability. This significantly lowers the evidentiary hurdle for plaintiffs in data theft cases where "use" is often hidden behind closed doors.

Secondly, the case highlights the growing importance of "ISO Obligations" in employment contracts. By treating compliance with ISO 27001 as a contractual term rather than a mere policy, the court has given employers a powerful tool to hold employees accountable for data hygiene. In an era where data is a company's most valuable asset, the failure to follow security protocols—such as using personal Dropbox accounts for source code—can now be framed as a straightforward breach of contract, bypassing some of the complexities of proving equitable breach of confidence.

The judgment also reinforces the "adverse inference" principle regarding the destruction of evidence. The court’s dim view of the "factory resets" and mass deletions performed by the defendants serves as a warning that such actions will not only lead to adverse findings on the merits but will also result in the defendants bearing the full brunt of forensic investigation costs. This provides a strong deterrent against "scorched earth" tactics by departing employees.

Furthermore, the case clarifies the boundaries of "preparatory acts." While employees are free to plan their next move, they cannot do so using company resources, on company time, and while actively soliciting their colleagues to join a competing entity that has already been incorporated. The court’s analysis of the "Loyalty Obligation" provides a nuanced guide on where planning ends and breach begins.

In the broader Singapore legal landscape, this case sits alongside [2021] SGHC 168 and [2023] SGHC 241 as part of a robust judicial trend toward protecting employers from coordinated internal raids. It balances the right to mobility with the necessity of commercial certainty and the protection of trade secrets. For transactional lawyers, it suggests that employment contracts should explicitly incorporate technical security standards and clearly define the scope of "preparatory acts" to provide better protection for the employer.

Practice Pointers

• Incorporate Technical Standards: Explicitly incorporate ISO 27001 or other relevant Information Security Management Systems (ISMS) into the body of the employment contract. This transforms a policy violation into a breach of contract, which may be easier to prove than equitable breach of confidence.
• Define "Preparatory Acts": While the law allows for preparation, contracts should clearly state that the incorporation of a competing entity or the solicitation of colleagues while employed constitutes a breach of the duty of loyalty.
• Forensic Readiness: Employers should have protocols for the immediate forensic imaging of devices returned by departing key personnel. As seen in this case, the ability to prove mass deletion was central to the Plaintiffs' success and the recovery of investigation costs.
• Pleading Breach of Confidence: Practitioners should specifically plead both "wrongful gain" (under the Coco test) and "wrongful loss" (under the I-Admin test). This ensures that even if specific "use" of data cannot be proven for every file, liability can still be established based on unauthorized possession and access.
• Restrictive Covenants: Ensure non-compete clauses are tied to a "protectable interest" such as specific technical source code or niche market pricing. The court in this case upheld the clauses because they were necessary to protect highly technical proprietary data, not just to prevent competition.
• Shadow Directorship: For senior management who are not formally directors, ensure their contracts reflect the high degree of trust and responsibility they hold, making it easier to establish fiduciary duties if they divert business opportunities.
• Cloud Storage Policies: Implement and enforce strict policies against the use of personal cloud storage (Dropbox, Google Drive) for company data. The court rejected the "working from home" excuse as a justification for retaining data post-resignation.

Subsequent Treatment

As a 2025 decision, ATT Systems v Centricore represents the current state of the law regarding the application of the I-Admin and Shanghai Afute frameworks. It follows the trend of the Singapore courts in providing robust protection against the misappropriation of digital assets. The case has been cited as a primary example of how the "wrongful loss" interest protects the integrity of a company's confidential data environment, particularly in the context of mass data deletion and the use of personal cloud storage by departing employees.

Legislation Referenced

• Evidence Act 1893, s 114 (regarding adverse inferences from the destruction of evidence)
• Companies Act 1967 (regarding the duties of directors and shadow directors)

Cases Cited

• Applied: I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others [2020] 1 SLR 1130
• Followed: Shanghai Afute Food and Beverage Management Co Ltd v Tan Swee Meng and others [2024] 3 SLR 1098
• Considered: Tempcool Engineering (S) Pte Ltd v Chong Vincent and others [2015] SGHC 100
• Considered: Angliss Singapore Pte Ltd v Yee Heng Khay (alias Roger) [2021] SGHC 168
• Considered: Amber Compounding Pharmacy Pte Ltd and another v Lim Suk Ling Priscilla and others [2023] SGHC 241
• Referred to: Lim Oon Kuin and others v Rajah & Tann Singapore LLP and another appeal [2022] 2 SLR 280
• Referred to: Clearlab SG Pte Ltd v Ting Chong Chai and others [2015] 1 SLR 163
• Referred to: Solomon Alliance Management Pte Ltd v Pang Chee Kuan [2019] 4 SLR 577
• Referred to: Hewlett-Packard Singapore (Sales) Pte Ltd v Chin Shu Hwa Corinna [2016] 2 SLR 1083
• Referred to: LTT Global Consultants v BMC Academy Pte Ltd [2011] 3 SLR 903
• Referred to: Smile Inc Dental Surgeons Pte Ltd v Lui Andrew Stewart [2012] 4 SLR 308
• Referred to: Auto Emporium Pte Ltd and others v Yeo Boong Hua and others [2018] 2 SLR 655
• Referred to: EFT Holdings, Inc and another v Marinteknik Shipbuilders (S) Pte Ltd and another [2014] 1 SLR 860
• Referred to: Coco v AN Clark (Engineers) Ltd [1969] RPC 41
• Referred to: Adinop Co Ltd v Rovithai Ltd [2019] 2 SLR 808

Source Documents

• Original Judgment PDF (20,657 words)
• eLitigation Case Summary