Changeflow GovPing Data Protection PDPC Publishes Four Undertakings on Ransomware ...
Priority review Enforcement Added Final

PDPC Publishes Four Undertakings on Ransomware and Unauthorized Access

Favicon for www.pdpc.gov.sg PDPC Announcements (Singapore)
Filed December 4th, 2025
Detected March 13th, 2026
Email

Summary

Singapore's Personal Data Protection Commission (PDPC) has published four undertakings from organizations that experienced ransomware attacks and unauthorized access. These undertakings detail remediation measures to strengthen cybersecurity defenses and data protection practices.

View original document View source feed page

What changed

The Personal Data Protection Commission (PDPC) has published four new undertakings from organizations that suffered data breaches due to ransomware attacks and unauthorized access, often caused by exploiting legitimate credentials. Common contributing factors identified include weak access controls, outdated firewalls, and default account usage. These incidents highlight significant gaps in the organizations' cybersecurity defenses and business operation disruptions.

Under these binding undertakings, the affected organizations are committed to implementing comprehensive remediation measures. These include enforcing multi-factor authentication, conducting regular vulnerability assessments and penetration testing, hardening server configurations, segmenting networks, and enhancing staff training on cybersecurity awareness. The PDPC accepted these undertakings after evaluating the nature of the data affected, the incident circumstances, and the organizations' plans to meet their obligations under the Personal Data Protection Act (PDPA).

What to do next

  1. Review incident response and cybersecurity measures for ransomware and unauthorized access vulnerabilities.
  2. Implement multi-factor authentication for all systems and administrative accounts.
  3. Conduct regular vulnerability assessments and penetration testing.

Source document (simplified)

This week, the Commission has published four Undertakings.

The incidents involved a mix of ransomware attacks and unauthorised access by exploiting legitimate login credentials, which disrupted business operations and exposed gaps in the organisations' cybersecurity defences. Common contributing factors included weak access controls, use of outdated firewall, software, and default accounts.

To address these issues and strengthen data protection practices, the organisations will be implementing a range of remediation measures, including:

  • Enforcing multi-factor authentication across systems and administrative accounts
  • Performing regular vulnerability assessments and penetration testing
  • Hardening server configurations and segmenting network access
  • Training staff on cybersecurity and data protection awareness
  • Obtaining relevant data protection and cybersecurity certifications The PDPC has accepted these Undertakings after considering the types of personal data affected, the circumstances surrounding each incident, and the organisations' readiness to implement their remediation plans to meet their obligations under the PDPA.

Access the Undertakings here.

Related changes

Favicon for www.gov.uk Humanitarian Assistance Exception Notification for Petroleum Products
Priority review Mar 13, 2026 OFSI All Publications Trade & Export
Favicon for www.apra.gov.au APRA Releases Quarterly ADI Statistics for December 2025
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.apra.gov.au APRA Statement on Gender Pay Gap
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.cisa.gov CISA Adds Two Exploited Vulnerabilities to KEV Catalog
Priority review Mar 13, 2026 CISA ICS-CERT Advisories Government
Favicon for www.cisa.gov CISA: Ignition Software Vulnerable to Code Execution
Priority review Mar 13, 2026 CISA ICS-CERT Advisories Government
Favicon for www.gao.gov GAO Report on DOD Cybersecurity Maturity Model Certification Program
Priority review Mar 13, 2026 GAO Reports & Testimonies Government Accountability

Source

Favicon for www.pdpc.gov.sg
PDPC Announcements (Singapore) pdpc.gov.sg/news-and-events/announcements
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Filed
December 4th, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Employers Public companies Technology companies
Geographic scope
Singapore

Taxonomy

Primary area
Cybersecurity
Operational domain
Compliance
Topics
Data Privacy Technology

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when PDPC Announcements (Singapore) publishes new changes.

Free. Unsubscribe anytime.