Ransomware Incident Data Breach and Security Lapses

PDPC Announcements (Singapore)

Filed February 26th, 2026

Detected March 13th, 2026

Summary

Singapore's Personal Data Protection Commission issued a decision regarding a ransomware incident affecting 39,000 individuals' data due to security lapses. Three separate undertakings were also accepted for similar incidents. The Commission directed the organization to strengthen its security posture and highlighted key takeaways for all organizations to prevent future breaches.

View original document View source feed page

What changed

The Personal Data Protection Commission (PDPC) in Singapore has issued a Decision against a B2B e-commerce service provider following a ransomware incident that compromised the personal data of approximately 39,000 individuals, including bank and credit card details. The investigation revealed significant security lapses, such as unpatched systems, weak access controls, and a failure to implement multi-factor authentication. Consequently, the PDPC found the organization in breach of its Protection Obligation and issued directions to enhance its security measures.

In addition to this decision, the PDPC accepted three Undertakings from other organizations that experienced ransomware and system compromise incidents. These incidents also stemmed from security weaknesses like lack of multi-factor authentication and outdated systems, affecting employee and customer data. The PDPC considered the prompt remedial actions and commitments to improved controls in accepting these undertakings. Key takeaways for all organizations emphasize the critical need for robust security practices, including mandatory multi-factor authentication, diligent patch management, strong password policies, regular vulnerability assessments, and effective monitoring to prevent similar breaches and comply with data protection obligations.

What to do next

Implement and strictly enforce multi-factor authentication for administrator, VPN, and privileged accounts.
Maintain robust patch management processes and avoid operating on end-of-life systems.
Conduct regular vulnerability assessments and periodic security reviews.

Source document (simplified)

This month, the Commission has issued one Decision and three Undertakings.

The Decision relates to a ransomware incident affecting a shared network managed by a B2B e-commerce service provider. Approximately 39,000 individuals' personal data, including bank and credit card details, was rendered inaccessible due to the attack. Investigations found security lapses such as unpatched systems, weak access controls and failure to enforce multi-factor authentication. The Commission found the organisation in breach of the Protection Obligation and issued directions for it to strengthen its security posture.

The three Undertakings concern separate ransomware and system compromise incidents across different sectors. The incidents involved personal data such as employees’ and customers’ contact details, identification numbers and bank account information, and arose from weaknesses including lack of multi-factor authentication, outdated systems and inadequate monitoring. In accepting the Undertakings, the Commission considered the prompt remedial actions taken and the organisations’ commitments to implement stronger technical and governance controls.

Key Takeaways for Organisations

Implement and strictly enforce multi-factor authentication for administrator, VPN and privileged accounts
Maintain robust patch management processes and avoid operating on end-of-life systems
Enforce strong password policies with rotation and account lockout mechanisms
Conduct regular vulnerability assessments and periodic security reviews
Implement network segmentation, logging and monitoring to detect suspicious activity early
Review data retention practices and minimise the collection and storage of sensitive personal data Access the Decision and Undertakings respectively.