Keppel Telecommunications & Transportation Ltd [2024] SGPDPC 3

Case Details

• Citation: [2024] SGPDPC 3
• Court: Personal Data Protection Commission
• Date: 2024-05-14
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Keppel Telecommunications & Transportation Ltd
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act
• Cases Cited: [2020] SGPDPC 10, [2022] SGPDPC 9, [2023] SGPDPC 5, [2023] SGPDPCS 4, [2023] SGPDPCS 5, [2024] SGPDPC 3
• Judgment Length: 14 pages, 2,928 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Keppel Telecommunications & Transportation Ltd (the Organisation) for a data breach incident involving the unauthorised access and exfiltration of personal data from a server belonging to Geodis Logistics Singapore Pte. Ltd. (GLS). The PDPC found that the Organisation had breached its obligation under section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data in its possession or under its control. The key issues were the Organisation's failure to delete personal data from the affected server after migrating it to the cloud, and its insufficient security arrangements to prevent unauthorised access and disclosure of the data.

What Were the Facts of This Case?

The Organisation was previously the sole shareholder of GLS (then known as Keppel Logistics Pte Ltd). In May 2020, the Organisation migrated its data, including personal data of its employees, ex-employees, directors and shareholders, to a cloud-based storage solution. However, the Organisation's staff did not delete the personal data from the affected server after the migration, as they were not given clear instructions to do so.

In July 2022, the Organisation divested GLS. Again, the personal data was not deleted from the affected server during this process. On 5 September 2022, an anonymous threat actor gained unauthorised access to the affected server through a compromised account of one of GLS's vendors. The threat actor accessed multiple files on the server and exfiltrated some of the personal data, which was later published on the dark web.

The personal data of approximately 22,659 individuals, including the Organisation's employees, ex-employees, directors, shareholders, and others with commercial dealings, was put at risk of unauthorised access and disclosure. The Organisation was able to confirm that up to 7,184 individuals' personal data may have been actually exfiltrated.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its obligation under section 24 of the PDPA to make reasonable security arrangements to protect the personal data in its possession or under its control. Specifically, the PDPC investigated the Organisation's failure to delete the personal data from the affected server after migrating it to the cloud, as well as its insufficient security arrangements that allowed the unauthorised access and exfiltration of the data.

How Did the Court Analyse the Issues?

The PDPC noted that in managing the risks of unauthorised access and disclosure, organisations must be mindful of their security arrangements relating to the deletion and disposal of personal data that is no longer necessary. Personal data that is no longer needed and personal data contained in IT systems that are to be redeployed or sold should be properly disposed of, such as by secure deletion or purging.

In this case, the PDPC found that the Organisation had breached its protection obligation under section 24 of the PDPA in two key ways:

1. Failure to delete personal data from the affected server after migrating it to the cloud: The PDPC found that the Organisation's staff did not delete the personal data from the affected server after copying it to the cloud, as they were not given clear instructions to do so. The Organisation also overlooked that the personal data continued to reside on the affected server after the migration and the subsequent divestment of GLS.

2. Insufficient security arrangements to prevent unauthorised access and disclosure: The PDPC noted that the Organisation's failure to delete the personal data from the affected server, which continued to be used by GLS, resulted in the data being exposed to the risk of unauthorised access and disclosure. The PDPC found that the Organisation's security arrangements were insufficient to prevent the eventual breach that occurred.

What Was the Outcome?

The PDPC found that the Organisation had breached its protection obligation under section 24 of the PDPA. The Organisation voluntarily admitted to the facts and its breach of the PDPA.

The PDPC noted that the Organisation had implemented various remedial measures after the incident, including working with a cybersecurity consultant to contain and prevent further breach, permanently purging the personal data from the affected server, reviewing its migration plan, conducting refresher training for staff, and implementing a new standard operating procedure for IT and cyber due diligence.

Why Does This Case Matter?

This case highlights the importance of organisations having robust data protection practices, particularly in relation to the deletion and disposal of personal data that is no longer necessary. Organisations must ensure that they have clear policies and procedures in place to securely delete or purge personal data from IT systems and servers, especially when migrating data or divesting business units.

The case also underscores the need for organisations to maintain sufficient security arrangements to prevent unauthorised access and disclosure of personal data in their possession or control. Failure to do so can result in significant harm to affected individuals and enforcement action by the PDPC.

This decision provides valuable guidance to organisations on their obligations under the PDPA, and the consequences of failing to adequately protect personal data. It serves as a reminder that data protection must be a key consideration in all aspects of an organisation's operations and IT management practices.

Legislation Referenced

• Personal Data Protection Act 2012

Cases Cited

• [2020] SGPDPC 10
• [2022] SGPDPC 9
• [2023] SGPDPC 5
• [2023] SGPDPCS 4
• [2023] SGPDPCS 5
• [2024] SGPDPC 3

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2024] SGPDPC 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.