Case Details
- Citation: [2025] SGPDPCS 4
- Court: Intellectual Property Office of Singapore
- Date: 2026-02-25
- Judges: Not specified in the judgment
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: People Central Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2025] SGPDPCS 4
- Judgment Length: 12 pages, 2,091 words
Summary
In this case, the Personal Data Protection Commission (the "Commission") investigated People Central Pte. Ltd. (the "Organisation"), a cloud-based HR solutions provider, for a breach of the Personal Data Protection Act 2012 (the "PDPA"). The Organisation had experienced an incident where a threat actor gained unauthorized access to and deleted its clients' employees' personal data from the Organisation's cloud servers. The Commission found that the Organisation failed to implement reasonable security arrangements to protect the personal data in its possession, in breach of the PDPA's Protection Obligation. The Commission imposed a financial penalty on the Organisation and directed it to take various remedial actions to improve its data security practices.
What Were the Facts of This Case?
People Central Pte. Ltd. is a cloud-based HR solutions provider that offers online HR management Software as a Service (SaaS) solutions. On 3 May 2024, the Organisation notified the Commission of an incident where a threat actor had gained unauthorized access to and deleted its clients' employees' personal data from the Organisation's Amazon Web Services (AWS) cloud servers.
The personal data of 95,000 employees of the Organisation's clients had been put at risk of unauthorized access, including sensitive information such as name, gender, employee pass type, NRIC number, date of employment, place and date of birth, nationality, salary, marital status, religion, bank account number, mobile number, email address, and address. Additionally, the personal data of 24,765 individuals who were the emergency contacts and/or children of the affected employees had also been put at risk.
Investigations revealed several security lapses that contributed to the incident, including the presence of SQL injection vulnerabilities in the Organisation's web application, weak access controls with open Remote Desktop Protocol (RDP) access to the internet without two-factor authentication, and insufficient security testing, with vulnerability scanning conducted only every 2 years.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached the Protection Obligation under section 24 of the PDPA. Section 24(a) of the PDPA requires organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks."
The Commission had to determine whether the Organisation's security measures were reasonable and adequate to protect the personal data it was entrusted with as an HR solutions provider.
How Did the Court Analyse the Issues?
The Commission examined the specific security lapses identified in the case and assessed whether the Organisation had made reasonable security arrangements to prevent the unauthorized access and deletion of its clients' employees' personal data.
The Commission found that the Organisation had failed to conduct reasonable periodic security reviews, which should have included web security assessments and network vulnerability assessments. The Commission noted that the Organisation's vulnerability scanning was conducted only every 2 years, which was insufficient given the volume and sensitivity of the personal data it processed.
The Commission also found that the Organisation should have implemented a Web Application Firewall (WAF) to defend against typical web application attacks, such as SQL injections, as an enhanced security practice. Additionally, the Commission stated that the Organisation should have conducted regular annual external and internal penetration testing, as recommended by industry best practices.
The Commission acknowledged the costs and technical expertise required for penetration testing, but emphasized that the Organisation, as an HR solutions provider, should have assessed the need and frequency of such testing as part of its periodic security reviews.
What Was the Outcome?
Based on the Organisation's admissions and the findings outlined above, the Commission determined that the Organisation had breached the Protection Obligation under section 24 of the PDPA.
The Commission imposed a financial penalty of $17,500 on the Organisation, taking into account the impact of the personal data breach, the nature of the Organisation's non-compliance, and the Organisation's cooperation and voluntary admission of the breach.
In addition, the Commission directed the Organisation to take several remedial actions, including:
- Reviewing its web application to ensure secure implementation in accordance with industry best practices
- Implementing an adequately configured WAF
- Completing the implementation of regular annual external and internal penetration tests
- Completing the implementation of two-factor authentication for RDP access
- Completing the implementation of encryption for all personal data fields
- Reporting to the Commission upon the completion of all the above actions
Why Does This Case Matter?
This case is significant for several reasons:
First, it highlights the importance of organizations, especially those that process large volumes of personal data, to implement robust and regularly reviewed security measures to protect the data entrusted to them. The Commission emphasized that the Organisation, as an HR solutions provider, should have had the necessary technical expertise to implement reasonable cybersecurity measures to address evolving threats.
Second, the case provides guidance on the Commission's expectations regarding the frequency and scope of security reviews and testing. The Commission made it clear that periodic vulnerability assessments and penetration testing should be conducted more frequently than every 2 years, in line with industry best practices.
Third, the case underscores the Commission's willingness to impose financial penalties on organizations that fail to comply with the PDPA's Protection Obligation. The penalty serves as a deterrent and highlights the need for organizations to take data protection seriously.
Finally, the remedial actions ordered by the Commission, such as implementing a WAF, two-factor authentication, and data encryption, provide a roadmap for organizations to improve their data security practices and comply with the PDPA's requirements.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Act
Cases Cited
- [2025] SGPDPCS 4
Source Documents
This article analyses [2025] SGPDPCS 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.