Case Details
- Citation: [2019] SGPDPC 47
- Court: Personal Data Protection Commission
- Date: 2019-12-26
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: PeopleSearch Pte. Ltd.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 18, [2018] SGPDPC 4, [2019] SGPDPC 26, [2019] SGPDPC 47
- Judgment Length: 5 pages, 1,552 words
Summary
This case involves a data breach incident at PeopleSearch Pte. Ltd., a subsidiary of a listed Singapore company that provides professional recruitment and flexible staffing services. In March 2019, the company suffered a ransomware attack that encrypted the personal data of its clients' employees, including sensitive information such as NRIC numbers, bank account details, and salary details. The Personal Data Protection Commission found that the company had failed to implement reasonable security measures to protect this personal data, in breach of its obligations under the Personal Data Protection Act 2012. While the company was able to restore its systems from backup and there was no evidence of data exfiltration, the Commission imposed a financial penalty of $5,000 for the lapse.
What Were the Facts of This Case?
PeopleSearch Pte. Ltd. (the "Organisation") is a subsidiary of a listed Singapore company that provides professional recruitment and flexible staffing services in Asia. The Organisation had a business division that managed outsourced payroll for its clients. To do this, the Organisation used a payroll software installed on a server in a virtual machine environment (the "VM Server").
On 1 to 2 March 2019, the Organisation suffered a ransomware attack that encrypted the data on the VM Server, rendering the clients' personal data inaccessible. The personal data affected included the names, NRIC numbers, residential addresses, contact numbers, email addresses, bank account numbers, and salary details of 472 individuals employed by 2 of the Organisation's clients (the "Employee Data"). The database also contained personal data of the employees' next of kin, including their names, ages, contact numbers, and relationship to the employees (the "Next of Kin Data"). In total, an estimated 944 individuals were affected by the incident (the "Affected Individuals").
The Organisation discovered the incident on 4 March 2019 when a ransom note appeared, demanding payment in Bitcoin to decrypt the files. The Organisation refused to pay the ransom and instead restored its systems from a backup of the VM Server as of 1 March 2019, regaining access to the data within approximately 2 days. The Organisation promptly took remedial actions such as disabling remote desktop accounts and installing the latest server updates.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (the "PDPA") to protect the personal data in its possession or under its control.
Section 24 of the PDPA requires an organisation to protect personal data by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. The Commission had to assess whether the Organisation had put in place adequate security measures to protect the sensitive personal data it held, including NRIC numbers and financial information.
How Did the Court Analyse the Issues?
The Commission found that the Employee Data and Next of Kin Data constituted "personal data" under the PDPA, and that the Organisation had possession and control over this data. While there was no evidence that the data was exfiltrated, the ransomware attack did result in unauthorised modification of the data by rendering it inaccessible to the Organisation.
In assessing the reasonableness of the Organisation's security arrangements, the Commission noted that the Employee Data included sensitive information such as NRIC numbers and financial details. For such personal data, there is a higher standard of protection required due to the potential harm that could befall individuals from unauthorised use of the data.
The Commission found that the Organisation had failed to meet this higher standard of protection. Specifically, the Organisation admitted that it had not conducted any security scans, penetration testing, or patching of the VM Server for at least 12 months prior to the incident. The Commission rejected the Organisation's explanation that this was due to the departure of an employee responsible for the VM Server, stating that organisations must have processes in place to ensure regular security testing and patching, regardless of personnel changes.
The Commission emphasized that in the digital age, where organisations store personal data online, regular security testing and patching are critical security measures to guard against potential intrusions or attacks. The Organisation's failure to implement these measures resulted in vulnerabilities that were exploited by the ransomware attack, falling far short of the required standard of protection under the PDPA.
What Was the Outcome?
Having found the Organisation in breach of Section 24 of the PDPA, the Commission determined the appropriate directions to impose. As mitigating factors, the Commission took into account the Organisation's regular backup process, which significantly reduced the impact of the incident, as well as the Organisation's prompt remedial actions, full cooperation with the investigation, and the lack of evidence of data exfiltration or complaints from affected individuals.
Ultimately, the Commission directed the Organisation to pay a financial penalty of $5,000 within 30 days. The Commission emphasized the importance of organisations having robust data backup processes in place to mitigate the consequences of potential cyberattacks, noting that the failure to do so could have "crippling consequences" for business operations.
Why Does This Case Matter?
This case highlights the importance of organisations, particularly those handling sensitive personal data, implementing comprehensive and effective security measures to protect against data breaches. The Commission's decision underscores that merely having backup processes in place is not enough - organisations must also regularly test and patch their IT systems to address vulnerabilities that could be exploited by cyber-attackers.
The case serves as a reminder that the PDPA imposes a high standard of care on organisations when it comes to safeguarding personal data. Failure to meet this standard can result in significant regulatory consequences, even if there is no evidence of actual harm to affected individuals. Organisations must proactively review and strengthen their data protection practices to avoid similar breaches and penalties.
More broadly, this decision contributes to the growing body of PDPC precedents that provide guidance to organisations on their data protection obligations. It underscores the Commission's focus on ensuring that organisations take a comprehensive and diligent approach to data security, rather than relying on ad-hoc or reactive measures. Practitioners advising clients on data protection compliance should carefully consider the principles and expectations set out in this and other PDPC decisions.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 18 (Re Credit Counselling Singapore)
- [2018] SGPDPC 4 (Re Aviva Ltd)
- [2019] SGPDPC 26 (Re Genki Sushi Singapore Pte Ltd)
- [2019] SGPDPC 47 (PeopleSearch Pte. Ltd.)
Source Documents
This article analyses [2019] SGPDPC 47 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.