On 21 September 2021, the Personal Data Protection Commission (“the Commission”) fined Seriously Keto Pte. Ltd. (“Seriously Keto”) a penalty of $8,000 over its of its breach of its personal data protection obligations under the Personal Data Protection (“PDPA”). In particular, the Commission found that Seriously Keto had failed to implement appropriate security measures in order to prevent unauthorised access to personal data on its platform.

Context 

On 16 June 2020, Seriously Keto notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack that had occurred on 15 June 2020. The attack affected the personal data of over 3,000 individuals, and included, inter alia,  names, addresses, email addresses, and phone numbers.

Seriously Keto requested the Commission to investigate the incident. The organisation voluntarily provided facts for the Commission and admitted that it had breached its personal data protection obligations under Section 24 of the PDPA.

The investigation revealed that an unprotected file in Seriously Keto’s network infrastructure that had contained unencrypted login details to access the server storing the affected personal data. The attacker could use the infrastructure scanning to locate the unprotected file and gain access to the server. Seriously Keto managed to recover the server logs after the incident was indicated.

Seriously Keto had engaged a third-party vendor to develop its e-commerce and membership website and had relied on its vendor to ensure that adequate security measures were put in place to protect personal data stored in its network. However, this was not clearly indicated in Seriously Keto’s contract with its vendor. Therefore, the Commission found that the blame for breach was squarely on Seriously Keto. Seriously Keto admitted its lack of due attention to personal data protection prior to the incident and negligence of implementing reasonable security arrangements to protect the affected personal data.

After the incident, Seriously Keto underwent a full security audit and remedied the vulnerabilities in security that it had identified. Seriously Keto also set up a new website with a more robust internal security infrastructure, implemented a mandatory password change for all users of its new website, and activated a firewall to safeguard access to the new website. It also engaged a cybersecurity vendor to develop further measures and policies to strengthen its internal IT infrastructure. Additionally, Seriously Keto committed to engaging consultants to improve its data protection policies and outsource data protection functions. 

The Commission determined that Seriously Keto had cooperated well with the investigation and took prompt remedial actions to its personal data breach. Further, Seriously Keto  had admitted the breach on its own accord and was able to retrieve all the affected personal data. . Given the foregoing, the Commissioned determined that a penalty of $8,000 for Seriously Keto’s breach of its personal data protection obligations under the PDPA would be appropriate.