Case Details
- Citation: [2025] SGPDPC 2
- Court: Personal Data Protection Commission
- Date: 2025-04-07
- Judges: Not specified in the judgment
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Singapore Data Hub Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2025] SGPDPC 2
- Judgment Length: 12 pages, 2,368 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated two separate data breach incidents that occurred at Singapore Data Hub Pte Ltd, a provider of point-of-sale and customer relationship management software. The investigation found that the organization had failed to implement reasonable security measures to protect the personal data in its possession, leading to unauthorized access and exfiltration of customer data. The PDPC determined that Singapore Data Hub had breached the Protection Obligation under the Personal Data Protection Act 2012 and imposed a financial penalty.
What Were the Facts of This Case?
Singapore Data Hub Pte Ltd (the "Organization") is a software company that provides point-of-sale and customer relationship management solutions to small and medium enterprises. On June 10 and 15, 2024, the Organization notified the PDPC of two separate data breach incidents that had occurred on April 28, 2024 and June 14, 2024 respectively.
In the first incident on April 28, 2024, a threat actor ("TA1") was able to gain unauthorized access to the Organization's network and database through a vulnerable URL link in one of its client's point-of-sale applications. TA1 executed SQL injection attacks, accessed customer data tables, and exfiltrated approximately 371.3MB of personal data belonging to around 689,000 individuals. This included names, addresses, email addresses, phone numbers, dates of birth, and NRIC numbers.
After the first incident, the Organization took some remedial measures such as changing database credentials, patching vulnerabilities, and implementing a web application firewall. However, in the second incident on June 14, 2024, another threat actor ("TA2") was able to access the Organization's network again by exploiting vulnerabilities in its web applications. TA2 executed further SQL injection attacks and exfiltrated additional personal data, including gender and health information of 9,122 individuals.
What Were the Key Legal Issues?
The key legal issue in this case was whether Singapore Data Hub had breached the Protection Obligation under Section 24(a) of the Personal Data Protection Act 2012 (PDPA). Section 24(a) requires organizations to "protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks."
The PDPC had to determine whether the security measures implemented by Singapore Data Hub were reasonable and sufficient to fulfill its obligations under the PDPA, given the volume of personal data it handled on behalf of its clients.
How Did the Court Analyse the Issues?
The PDPC found that Singapore Data Hub had breached the Protection Obligation under Section 24(a) of the PDPA for several reasons:
1. Failure to have reasonable access controls: The PDPC noted that the affected web servers were publicly accessible, with multiple open ports and exposed web directory listings. The organization also did not have a network firewall or an adequately configured web application firewall to protect against common web application attacks like SQL injection. Additionally, the organization failed to properly protect the application source code files and database configuration files that contained important access credentials.
2. Failure to conduct reasonable periodic security reviews: The PDPC observed that the organization rolled out changes to its applications frequently, which was likely to introduce new security vulnerabilities. However, the organization did not conduct proper security checks or vulnerability scanning before deploying these changes. It only performed basic internal acceptance testing focused on functionality, not cybersecurity.
3. Failure to implement regular patching: The PDPC found that the affected web servers were running an unsupported operating system and an outdated version of the PHP scripting language, both of which had not been supported for several years. This exposed the organization's systems to known vulnerabilities that could have been mitigated through regular patching.
The PDPC emphasized that the Protection Obligation under the PDPA requires organizations to implement security measures that are commensurate with the volume and sensitivity of personal data they handle. Given that Singapore Data Hub was a software-as-a-service provider with a large customer base, it was expected to have a higher level of security controls in place.
What Was the Outcome?
Based on its findings, the PDPC determined that Singapore Data Hub had breached the Protection Obligation under Section 24(a) of the PDPA. The organization voluntarily provided information and unequivocally admitted to the facts set out in the decision, as it was investigated under the Expedited Decision Procedure.
The PDPC did not specify the exact financial penalty imposed on Singapore Data Hub, as the details were not included in the published judgment. However, the PDPC has the authority to impose financial penalties of up to S$1 million for breaches of the PDPA.
Why Does This Case Matter?
This case is significant for several reasons:
1. It underscores the importance of implementing reasonable security measures to protect personal data, especially for organizations that handle large volumes of sensitive information. The PDPC made it clear that the level of security expected is commensurate with the data being handled, and that basic access controls and periodic security reviews are essential.
2. The case highlights the need for organizations to stay up-to-date with software and system patching to mitigate known vulnerabilities. Relying on outdated and unsupported systems can expose personal data to significant risks.
3. The decision serves as a warning to software-as-a-service providers and other organizations that process large amounts of personal data on behalf of clients. They have a heightened responsibility to ensure the security of the data in their possession or control.
4. The case demonstrates the PDPC's willingness to take enforcement action against organizations that fail to meet their data protection obligations, even if they cooperate with the investigation. This sends a strong message about the importance of data protection compliance in Singapore.
Legislation Referenced
Cases Cited
- [2025] SGPDPC 2
- [2022] SGPDPC (Re Redmart Limited)
Source Documents
This article analyses [2025] SGPDPC 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.