Case Details
- Citation: [2025] SGPDPCS 2
- Court: Personal Data Protection Commission
- Date: 2025-03-03
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Ezynetic Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2025] SGPDPCS 2
- Judgment Length: 9 pages, 1,688 words
Summary
In this case, the Personal Data Protection Commission (the "Commission") found that Ezynetic Pte. Ltd. (the "Organisation"), a Singapore-incorporated Software-as-a-Service (SaaS) provider, had breached the Protection Obligation under Section 24 of the Personal Data Protection Act 2012 ("PDPA"). The breach occurred when the Organisation's servers were infected by ransomware, leading to the exfiltration and sale of personal data belonging to 190,589 individuals on the dark web.
The Commission determined that the Organisation failed to implement reasonable security arrangements to prevent unauthorized access, such as inadequate access controls for the system administrator account and a lack of periodic security reviews. As a result, the Commission imposed a financial penalty of $17,500 on the Organisation and directed it to obtain the Cyber Trustmark Certification for its new IT network.
What Were the Facts of This Case?
Ezynetic Pte. Ltd. is a Singapore-incorporated SaaS provider that offers information technology solutions and services to licensed moneylenders in Singapore. The Organisation's clients would input personal data of their prospective loan applicants and borrowers into the Organisation's moneylending system, which was linked to the Moneylenders Credit Bureau (MLCB) platform operated by Credit Bureau (Singapore) Pte Ltd.
On 24 June 2024, the Organisation discovered that it could not access the moneylending system, and the relevant databases had been deleted by a threat actor who had gained access to the Organisation's database server. Investigations found that the threat actor had exploited a vulnerable web service application to gain access and control of the Organisation's system administrator (SA) account, which had inadequate access controls and a weak password susceptible to brute force attacks.
The personal data exfiltrated by the threat actor included a combination of the name, address, email address, telephone number, NRIC number, date of birth, and financial information of 190,589 individuals. The MLCB platform itself was not compromised, as the incident only involved unauthorized access into the Organisation's internal systems.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached the Protection Obligation under Section 24 of the PDPA. Section 24(a) of the PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal, or similar risks.
The Commission had to determine whether the Organisation's security measures, or lack thereof, amounted to a breach of the Protection Obligation. Specifically, the Commission had to assess the adequacy of the Organisation's access controls and its failure to conduct periodic security reviews of its infrastructure.
How Did the Court Analyse the Issues?
In its analysis, the Commission first acknowledged the Organisation's admission of the facts and its breach of the Protection Obligation under the Expedited Decision Procedure (EDP). The Commission then examined the specific lapses that had contributed to the data breach incident.
Regarding access controls, the Commission found that the Organisation had failed to adequately secure the SA account, which granted privileged access to the moneylending system. The weak password used for this account, which was susceptible to brute force attacks, was deemed an inadequate security arrangement to safeguard the personal data in the Organisation's possession.
The Commission also determined that the Organisation's failure to conduct periodic vulnerability assessments or penetration testing of its infrastructure amounted to a breach of the Protection Obligation. As stated in the Commission's own guidance, organisations should, as a basic practice, regularly conduct web application vulnerability scanning and assessments after deployment.
In reaching its conclusion, the Commission considered the nature and volume of personal data entrusted to the Organisation as a SaaS provider, as well as the expectation that such a provider should possess the necessary technical expertise to implement reasonable cybersecurity measures.
What Was the Outcome?
Based on the Organisation's admission and the Commission's analysis, the Deputy Commissioner determined that the Organisation had breached the Protection Obligation under Section 24 of the PDPA.
The Commission imposed a financial penalty of $17,500 on the Organisation, taking into account the impact of the personal data breach, the nature of the Organisation's non-compliance, and its annual turnover. The Commission also considered mitigating factors, such as the Organisation's cooperation, its voluntary admission of the breach, and the fact that this was its first instance of non-compliance with the PDPA.
In addition to the financial penalty, the Commission directed the Organisation to obtain the Cyber Trustmark Certification for its new IT network within 9 months and to report to the Commission on the completion of this action.
Why Does This Case Matter?
This case is significant for several reasons. First, it highlights the importance of organizations, particularly those handling sensitive personal data, to implement robust and comprehensive security measures to protect against data breaches. The Commission's findings emphasize the need for organizations to have adequate access controls, including strong password policies, as well as to regularly conduct security assessments to identify and address vulnerabilities.
Second, the case underscores the Commission's willingness to take enforcement action against organizations that fail to comply with the Protection Obligation under the PDPA. The imposition of a financial penalty, as well as the directive to obtain the Cyber Trustmark Certification, demonstrates the Commission's commitment to ensuring that organizations take their data protection responsibilities seriously.
Finally, this case serves as a valuable precedent for organizations in the SaaS and technology sectors, as it sets an expectation that they should possess the necessary technical expertise to implement reasonable security measures to protect the personal data entrusted to them. The Commission's decision sends a clear message that a lack of such expertise will not be an excuse for non-compliance with the PDPA.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2025] SGPDPCS 2
Source Documents
This article analyses [2025] SGPDPCS 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.