Goldheart Jewelry Pte. Ltd. [2025] SGPDPC 4

Case Details

• Citation: [2025] SGPDPC 4
• Court: Intellectual Property Office of Singapore
• Date: 2025-06-20
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Goldheart Jewelry Pte. Ltd.
• Legal Areas: Data Protection – Protection Obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2016] SGPDPC 19, [2018] SGPDPC 26, [2019] SGPDPC 3, [2020] SGPDPC 15, [2021] SGPDPC 11, [2022] SGPDPC 8, [2023] SGPDPC 10, [2023] SGPDPC 5, [2023] SGPDPCS 5, [2023] SGPDPCS 3
• Judgment Length: 20 pages, 4,728 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Goldheart Jewelry Pte. Ltd. (the "Organisation") for a data breach incident involving the unauthorised disclosure of the personal data of 41,379 individuals. The PDPC found that the Organisation had breached its obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data in its possession. Specifically, the PDPC determined that the Organisation failed to implement adequate patch management processes and reasonable access controls, which led to the data breach.

What Were the Facts of This Case?

The Organisation is a jewelry retailer that operates an online store and physical outlets in Singapore. It is majority owned and controlled by Aspial Corporation Limited ("Aspial"). The Organisation's website was built on the Magento e-commerce platform, and the customer data was stored on a MariaDB database management system hosted on the Organisation's web server.

On 26 May 2023, the Organisation notified the PDPC of a data breach incident where the personal data of 41,379 individuals had been unauthorised disclosed. The PDPC commenced investigations and found that the breach occurred due to the Organisation's failure to promptly apply a security patch for a known vulnerability in the Magento platform.

Specifically, a patch to address the CVE-2022-24086 vulnerability, which allowed remote code execution, was made available on 13 February 2022. However, the Organisation did not apply this patch until January 2023, 11 months later. During this period, a threat actor exploited the vulnerability to gain unauthorized access to the Organisation's server, exfiltrate the customer data, and publish it online.

The PDPC also found that the Organisation had stored plaintext credentials within the web server environment, which could have allowed the threat actor to further leverage those credentials to gain additional unauthorized access.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its obligations under Section 24 of the PDPA to make reasonable security arrangements to protect the personal data in its possession or under its control.

Section 24 of the PDPA requires organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks." The PDPC's investigation focused on whether the Organisation had fulfilled this "Protection Obligation" with respect to the data breach incident.

How Did the Court Analyse the Issues?

In analysing the Organisation's compliance with the Protection Obligation, the PDPC considered two key aspects: the Organisation's failure to implement adequate patch management processes, and its failure to implement reasonable access controls.

Regarding patch management, the PDPC recognized that organisations often rely on vendors to carry out cybersecurity practices like patching. However, the PDPC emphasized that this does not absolve the organisation of accountability. The organisation must elucidate the vendor's cybersecurity responsibilities in the contract and have processes in place to monitor for updates and request the vendor to apply necessary patches.

In this case, the PDPC found that the Organisation's contractual arrangements with its vendor, as well as the Aspial Group's Patch Management Policy, placed the responsibility for patch monitoring and application on the Organisation. The Organisation failed to fulfill this responsibility by not monitoring for the CVE-2022-24086 patch and not requesting the vendor to apply it in a timely manner.

Regarding access controls, the PDPC noted that organisations should implement reasonable security arrangements to limit access to data and information that could facilitate further access to the network. The PDPC cited its previous decision in Redmart Limited, where it found the organisation in breach of the Protection Obligation for storing API keys in plain text, allowing too many accounts to access them.

In this case, the PDPC found that the Organisation's practice of storing plaintext credentials within the web server environment was a failure to implement reasonable access controls, as it allowed the threat actor to leverage those credentials to gain further unauthorized access.

What Was the Outcome?

Based on the findings, the PDPC determined that the Organisation had breached its Protection Obligation under Section 24 of the PDPA in two respects: (1) failure to implement adequate patch management processes, and (2) failure to implement reasonable access controls.

The PDPC noted that the Organisation had taken various remedial measures after the incident, including suspending the website, removing the malicious files and plaintext credentials, resetting passwords and SSH keys, implementing access control measures, and applying security patches and upgrades to the Magento platform.

Why Does This Case Matter?

This case is significant for several reasons:

Firstly, it reinforces the PDPC's consistent position that organisations cannot simply outsource their cybersecurity responsibilities to vendors. Organisations must clearly define and monitor the vendor's responsibilities in the contract, and have their own processes in place to ensure the appropriate security measures are implemented.

Secondly, the case highlights the importance of timely patch management and the need for organisations to have robust processes to monitor for and apply security updates. Failure to do so can leave systems vulnerable to known exploits, as demonstrated in this incident.

Thirdly, the case underscores the PDPC's emphasis on reasonable access controls as a key component of the Protection Obligation. Organisations must carefully manage access to sensitive data and information that could be used to further compromise their systems.

Overall, this case provides valuable guidance to organisations on the practical steps they must take to fulfill their data protection obligations under the PDPA, particularly in the areas of vendor management, patch management, and access controls.

Legislation Referenced

• Personal Data Protection Act 2012

Cases Cited

• [2016] SGPDPC 19
• [2018] SGPDPC 26
• [2019] SGPDPC 3
• [2020] SGPDPC 15
• [2021] SGPDPC 11
• [2022] SGPDPC 8
• [2023] SGPDPC 10
• [2023] SGPDPC 5
• [2023] SGPDPCS 5
• [2023] SGPDPCS 3

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2025] SGPDPC 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.