Changeflow GovPing Data Privacy & Cybersecurity Three Voluntary Undertakings on Ransomware, Dat...
Priority review Notice Added Final

Three Voluntary Undertakings on Ransomware, Database Misconfiguration, Email Breach

Favicon for www.pdpc.gov.sg PDPC Announcements (Singapore)
Published
Detected
Email

Summary

Singapore's Personal Data Protection Commission published three voluntary undertakings accepted from organizations following data breaches involving ransomware, database misconfiguration, and erroneous email disclosure of personal data. Common failures included inadequate access controls, improperly configured database permissions, and absence of operational safeguards. The organizations must implement specific remediation measures including MFA, security certifications, and data protection governance improvements.

View original document View source feed page

What changed

PDPC published three voluntary undertakings accepted from organizations that experienced data breaches. The incidents involved a ransomware attack, unauthorized database access due to misconfigured security settings, and erroneous email disclosure of personal data. Contributing factors included inadequate access controls, improperly configured database permissions, and absence of operational safeguards when handling sensitive personal data.

Affected organizations are now bound to implement specific remediation measures including enforcing MFA and conditional access policies, obtaining CSA Cyber Essentials certification with external security audits, configuring row-level database security, password-protecting sensitive email attachments, and appointing a Data Protection Officer with comprehensive data protection policies. While no financial penalties were imposed, these undertakings represent formal regulatory enforcement actions that create binding compliance obligations under Singapore's Personal Data Protection Act.

What to do next

  1. Implement multi-factor authentication and conditional access policies for remote and cloud services
  2. Obtain CSA Cyber Essentials certification and conduct external security audits
  3. Password-protect email attachments containing sensitive personal data and implement email verification checklists

Archived snapshot

Apr 9, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

This week, the Commission has published three Voluntary Undertakings.

The incidents involved a ransomware attack, an unauthorised database access due to misconfigured security settings, and an erroneous email disclosure of personal data. Common contributing factors included inadequate access controls, improperly configured database permissions, and the absence of operational safeguards when handling sensitive personal data.

To address these issues and improve data protection practices, the organisations will be implementing a range of remediation measures, including:

  • Enforcing multi-factor authentication and conditional access policies for remote and cloud-based services
  • Obtaining CSA Cyber Essentials certification and conducting external security audits
  • Configuring row level security for databases with appropriate roles and permission
  • Password-protecting email attachments containing sensitive personal data and introducing email verification checklists for staff
  • Appointing a Data Protection Officer, developing and implementing data protection policies and consent processes The PDPC has accepted these Voluntary Undertakings after considering the types of personal data affected, the circumstances surrounding each incident, and the organisations' readiness to implement their remediation plans to meet their obligations under the PDPA.

Access the Voluntary Undertakings.

Related changes

Favicon for www.judiciary.gov.sg Justice Jeyaretnam Speech at APAC Legal Congress 2026: Adapting Commercial Law for AI
Routine Apr 12, 2026 Singapore Judiciary News Courts & Legal
Favicon for www.mas.gov.sg Court of Appeal Upholds 36-Year Sentence for Soh, 20-Year for Quah in Singapore's Largest Stock Market Manipulation Case
Priority review Apr 10, 2026 MAS Singapore News Banking & Finance

Get daily alerts for PDPC Announcements (Singapore)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.pdpc.gov.sg
PDPC Announcements (Singapore) pdpc.gov.sg/news-and-events/announcements
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from PDPC.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
PDPC
Published
April 9th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Businesses
Industry sector
5112 Software & Technology
Activity scope
Data breach response Security configuration Access controls
Geographic scope
Singapore SG

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Cybersecurity Consumer Protection

Browse Categories

Agriculture & Food Safety 64 AI Regulation 3 Banking & Finance 291 Consumer Protection 44 Courts & Legal 362 Data Privacy & Cybersecurity 74 Defense & National Security 51 Education 19 Energy 101 Environment 86 Environmental Regulation 8 Financial Regulation 2 Government & Legislation 280 Healthcare 136 Housing 16 Immigration 8 Insurance 58 Labor & Employment 113 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 9 Tax 66 Telecom & Technology 47 Trade & Sanctions 136 Transportation 57

Get alerts for this source

We'll email you when PDPC Announcements (Singapore) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!