It directed the Law Society to engage qualified security providers to conduct a thorough security audit of its arrangements for accounts with administrative privileges that can access directly or create access to personal data as well as to rectify any gaps identified.
Meanwhile, online furniture store Fortytwo was fined for failing to patch and update its website, which resulted in the personal particulars of 6,339 customers being leaked.
The information collected included 98 customers’ credit card details, the PDPC said in another written judgment.
The company reported the incident to PDPC on Dec 24, 2021.
Fortytwo was found to have breached its obligation to make reasonable security arrangements by not installing security patches released between 2017 and 2020, which addressed issues and bugs, including the injection of malicious codes that ultimately captured its customers’ personal data.
The PDPC also held that the company had “ample notice” to upgrade its platform from November 2015 to early 2020 before the attack, but did not do so.
In addition to a fine of $8,000, the furniture company was directed to upgrade its website to a supported software version within six months.
In a separate judgment, recruitment firm Kingsforce Management Services was found to have breached its obligation to protect personal data after its database of about 54,900 jobseekers was sold on the now-defunct RaidForums on or about Dec 27, 2021
On Jan 31, 2022, the PDPC was notified by the firm that its database, which included addresses, telephone numbers and e-mail addresses, had been available for sale.
External cybersecurity investigators identified outdated website coding technology as the cause of the incident.
The PDPC found that Kingsforce Management Services had failed to provide sufficient clarity and specifications on how to protect its database and did not conduct periodic security reviews within a reasonable timeframe since the launch of its website.
In deciding enforcement action against the breach, the privacy watchdog considered several factors including the immediate suspension of the website and the inaccessibility of affected data following the shutdown of RaidForums in 2022.
The PDPC has ordered the firm to ensure that regular patching, updates and upgrades take place for all software and firmware supporting its website and application through which personal data can be accessed.
The Straits Times has contacted the Law Society, Fortytwo and Kingsforce Management Services for comment.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest For News Update Click Here
