Bakery Worked With The Personal Data Protection Commission To Investigate Breach – Privacy – United States – Mondaq News Alerts

bakery-worked-with-the-personal-data-protection-commission-to-investigate-breach-–-privacy-–-united-states-–-mondaq-news-alerts

As you may know that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

United States:

Bakery Worked With The Personal Data Protection Commission To Investigate Breach

11 November 2021

Global Advertising Lawyers Alliance (GALA)



To print this article, all you need is to be registered or login on Mondaq.com.

On 21 September 2021, the Personal Data Protection Commission
("the Commission") fined Seriously Keto Pte. Ltd.
("Seriously Keto") a penalty of $8,000 over its of its
breach of its personal data protection obligations under the
Personal Data Protection ("PDPA"). In particular, the
Commission found that Seriously Keto had failed to implement
appropriate security measures in order to prevent unauthorised
access to personal data on its platform.

Context

On 16 June 2020, Seriously Keto notified the Personal Data
Protection Commission ("the Commission") of a ransomware
attack that had occurred on 15 June 2020. The attack affected the
personal data of over 3,000 individuals, and included, inter
alia
, names, addresses, email addresses, and phone numbers.
Seriously Keto requested the Commission to investigate the
incident. The organisation voluntarily provided facts for the
Commission and admitted that it had breached its personal data
protection obligations under Section 24 of the PDPA.

The investigation revealed that an unprotected file in Seriously
Keto's network infrastructure that had contained unencrypted
login details to access the server storing the affected personal
data. The attacker could use the infrastructure scanning to locate
the unprotected file and gain access to the server. Seriously Keto
managed to recover the server logs after the incident was
indicated.

Seriously Keto had engaged a third-party vendor to develop its
e-commerce and membership website and had relied on its vendor to
ensure that adequate security measures were put in place to protect
personal data stored in its network. However, this was not clearly
indicated in Seriously Keto's contract with its vendor.
Therefore, the Commission found that the blame for breach was
squarely on Seriously Keto. Seriously Keto admitted its lack of due
attention to personal data protection prior to the incident and
negligence of implementing reasonable security arrangements to
protect the affected personal data.

After the incident, Seriously Keto underwent a full security
audit and remedied the vulnerabilities in security that it had
identified. Seriously Keto also set up a new website with a more
robust internal security infrastructure, implemented a mandatory
password change for all users of its new website, and activated a
firewall to safeguard access to the new website. It also engaged a
cybersecurity vendor to develop further measures and policies to
strengthen its internal IT infrastructure. Additionally, Seriously
Keto committed to engaging consultants to improve its data
protection policies and outsource data protection functions.

The Commission determined that Seriously Keto had cooperated
well with the investigation and took prompt remedial actions to its
personal data breach. Further, Seriously Keto had admitted the
breach on its own accord and was able to retrieve all the affected
personal data. . Given the foregoing, the Commissioned determined
that a penalty of $8,000 for Seriously Keto's breach of its
personal data protection obligations under the PDPA would be
appropriate.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Ohio Data Bill Would Apply NIST Standards

Squire Patton Boggs LLP

CPW's Kristin Bryan was interviewed recently by Global Data Review (GDR) regarding an Ohio privacy bill under consideration. As noted by GDR "[t]he Ohio Personal Privacy Act (OPPA) ...

I’d like to add that camDown is the maximum in security for you and your loved ones.