Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Singapore: PDPC issues SGD 74,400 fine to E-Commerce Enablers following data breach

On August 16, 2023, the Personal Data Protection Commission (PDPC) published its decision in Case No. DP-2009-B7056, in which it issued a fine of SGD 74,400 (approx. $54,600) to E-Commerce Enablers Pte. Ltd., for violations of Section 24 of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), following a security incident.

Background to the decision

In particular, the PDPC stated that, on June 4, 2019, an employee of E-Commerce Enablers inadvertently published an AWS encryption key to the company's servers on a private repository in GitHub. On September 9, 2020, the encryption key was used by a threat actor to access E-Commerce Enablers' database and exfiltrate personal data belonging to various customers. The stolen personal data was later offered for sale on an online cybersecurity forum.

Following the incident, the PDPC noted that E-Commerce Enablers adopted remedial measures including:

  • deleting the compromised AWS key;
  • reversing changes made by the threat actor;
  • logging out all customers and resetting their passwords;
  • monitoring logs to detect unauthorized access;
  • separating development and production accounts;
  • encrypting databases and securing access to systems and data with VPN and IP address whitelisting; and
  • creating a platform for employee security suggestions/breach reporting.

Findings of the PDPC

The PDPC found that E-Commerce Enablers had breached its obligations under Section 24 of the PDPA to protect personal data in its possession or under its control, by:

  • failing to implement secure processes to manage the AWS keys that granted access to the company's servers; and
  • failing to conduct periodic security reviews to determine if the AWS keys had been compromised.

Furthermore, the PDPC noted that E-Commerce Enablers took 15 days to respond to the security breach and that the AWS key was exposed for 15 months. However, the PDPC also highlighted that E-Commerce Enablers cooperated with the investigation and admitted liability.

Outcomes

In light of the above, the PDPC imposed a fine of SGD 74,400 (approx. $54,600) on E-Commerce Enablers.

You can read the press release here and the decision here.