Cortina Watch Pte. Ltd. [2024] SGPDPCS 3

Case Details

• Citation: [2024] SGPDPCS 3
• Court: Personal Data Protection Commission
• Date: 2024-05-23
• Judges: Not specified in the judgment
• Plaintiff/Applicant: Not specified
• Defendant/Respondent: Cortina Watch Pte. Ltd.
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2016] SGPDPC 22, [2022] SGPDPC 3, [2024] SGPDPCS 3
• Judgment Length: 8 pages, 1,501 words

Summary

This case involves an investigation by the Singapore Personal Data Protection Commission (the "Commission") into a data breach incident at Cortina Watch Pte. Ltd. (the "Organisation"). The Organisation experienced a ransomware attack on its server, which resulted in the personal data of 3,953 individuals being accessed and exfiltrated. The Commission found that the Organisation had failed to implement reasonable security arrangements to protect the personal data in its possession, in breach of section 24 of the Personal Data Protection Act 2012 (the "PDPA"). As a result, the Commission directed the Organisation to engage a third-party cybersecurity vendor to conduct a targeted security audit and to submit a comprehensive report to the Commission.

What Were the Facts of This Case?

Cortina Watch Pte. Ltd. is a company primarily involved in the retail, import, and export of timepieces, branded pens, and luxury accessories. On 5 June 2023, the Commission received a Data Breach Notification from the Organisation regarding a ransomware attack on its server (the "Incident").

The Organisation subsequently confirmed that the personal data of 3,953 individuals had been accessed and exfiltrated in the Incident. The types of personal data affected included full names, contact numbers, addresses, email addresses, dates of birth, NRIC/passport numbers, and bank account numbers.

The Commission's investigation, along with the efforts of an IT forensic investigation firm engaged by the Organisation, revealed that the Organisation had experienced multiple brute force attacks between 30 April and 4 June 2023. On 27 May 2023, a Virtual Private Network (VPN) account used by the Organisation to test VPN access to live environments was compromised. The threat actor successfully accessed a password-protected master password file and then moved laterally across the servers, exfiltrating 5.82 GB of data and deploying the "Lockbit 3.0" ransomware to encrypt other files on the Organisation's servers. The personal data of the affected individuals was subsequently posted on the dark web.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its obligations under section 24 of the PDPA to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

The Commission had to determine whether the security measures implemented by the Organisation were reasonable, taking into account the volume and sensitivity of the personal data handled, the nature of the Organisation's business, and the types of services it offered.

How Did the Court Analyse the Issues?

The Commission found that the Organisation had breached section 24 of the PDPA by failing to have reasonable security arrangements in place to protect the personal data in its possession or control. The Commission noted that the Organisation had admitted to a lack of "house-keeping" on its "test" VPN user accounts and a failure to implement reasonable access controls to its network through these accounts.

The Commission highlighted that in its previous decision in Lovebonito Singapore Pte. Ltd. [2022] SGPDPC 3, it had made clear that multi-factor authentication (MFA) should be implemented as a baseline requirement for privileged accounts with remote access to confidential or sensitive personal data or large volumes of personal data. The Organisation had admitted that it could have, but had neglected to, implement MFA for its VPN accounts, firewall access, and access to files holding passwords.

Additionally, the Commission found that the Organisation had failed to enforce a robust password policy, as recommended in its Guide to Data Protection Practices for ICT Systems. The Commission stated that a strong password policy is a key security measure to prevent common hacking attempts such as brute force attacks, and that the Organisation's failure to enforce a combination of alphanumeric characters in its password policy was a breach of section 24 of the PDPA.

What Was the Outcome?

Instead of imposing a financial penalty, the Commission directed the Organisation to engage a third-party cybersecurity vendor to conduct a targeted security audit to enhance access control to the personal data in its possession within the network. The Organisation was required to complete the audit within 60 days and submit a comprehensive report to the Commission within 7 days of its completion.

Why Does This Case Matter?

This case is significant for several reasons:

Firstly, it reinforces the importance of implementing reasonable security measures to protect personal data, as required by section 24 of the PDPA. The Commission has made it clear that organizations must take proactive steps to assess and enhance their data protection practices, particularly in areas such as access control, password policies, and the use of MFA.

Secondly, the case highlights the Commission's willingness to take a firm stance on data protection breaches, even in the absence of a financial penalty. By directing the Organisation to undergo a targeted security audit and submit a comprehensive report, the Commission has demonstrated its commitment to ensuring that organizations take concrete steps to address their data protection deficiencies and prevent future breaches.

Finally, this case serves as a valuable precedent for other organizations, as it provides guidance on the Commission's expectations regarding reasonable security arrangements under the PDPA. The Commission's references to its own guidance and previous decisions underscore the importance of organizations staying up-to-date with the Commission's evolving standards and best practices in data protection.

Legislation Referenced

• Personal Data Protection Act 2012

Cases Cited

• [2016] SGPDPC 22
• [2022] SGPDPC 3
• [2024] SGPDPCS 3

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2024] SGPDPCS 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.