In brief

The Personal Data Protection Commission (PDPC) announced that it had accepted in March two undertakings from organizations investigated for data breaches stemming from ransomware attacks and zero-day vulnerabilities, affecting the personal data of over 400,000 individuals. 

Undertaking by Yamato Transport

In September 2024, the PDPC became aware of a data breach incident involving unauthorized access to a server belonging to Yamato Transport (S) Pte. Ltd. (“Yamato Transport“), following a notification from Yamato Transport to all of its clients regarding the incident. Yamato Transport acted as a data intermediary for its clients.

The server had stored the data of Yamato Transport’s clients and employees. Yamato Transport had also notified the PDPC of the incident directly on 4 October 2024, given that its employees’ data was also affected.

Investigations revealed that the threat actor had gained access to Yamato Transport’s system by exploiting a zero-day vulnerability to gain initial access to its environment. The threat actor subsequently executed ransomware.

The exfiltrated files contained the personal data of 320,482 employees and clients, including various combinations of names, addresses, email addresses, phone numbers and other information.

Upon discovering the incident, Yamato Transport took prompt remedial actions including, but not limited to, disconnecting the affected servers; patching the zero-day vulnerability; resetting passwords for all users; blocking the threat actor’s IP address; isolating all affected servers; and terminating internet connections. As part of its voluntary undertaking, Yamato Transport committed to improving compliance with the Personal Data Protection Act 2012 by, among others, conducting vulnerability assessments; switching to cloud-based solutions with security features; enhancing passport complexity and user access rights control; and establishing new service agreements with customers. The full summary of the undertaking can be found here.

Undertaking by Poh Heng Jewellery

On 29 March 2025, Poh Heng Jewellery (Private) Limited (“Poh Heng Jewellery“) notified the PDPC of a data breach incident wherein a threat actor had obtained the source code of its e-commerce website (“Affected Website“) by exploiting vulnerabilities.

Investigations revealed that the threat actor had likely probed the Affected Website and found an exposed link to a configuration folder containing the website deployment file. This information allowed the threat actor to find the integrated GitHub repository of Poh Heng Jewellery’s then-website vendor and obtain the Affected Website’s source code. Subsequently, the threat actor downloaded the personal data of 81,465 customers. The affected personal data included names, contact numbers, residential addresses, personal email addresses, dates of birth, countries of residence, membership ID numbers and transactional information for up to the last five purchases.

Upon discovering the incident, Poh Heng Jewellery’s remedial actions included dismantling the affected website; resetting credentials for all platforms and critical web plugins; conducting a vulnerability assessment and rectifying identified vulnerabilities; and revoking their then-vendors’ access rights to Poh Heng Jewellery’s cloud console.

While the root cause of the incident could be attributed to the threat actor’s access to the “.git” folder on Poh Heng Jewellery’s website and information available in the Affected Website’s source code, the PDPC found that Poh Heng Jewellery had failed to clearly stipulate the job scope and data protection obligations expected of its vendors. Poh Heng Jewellery had outlined vendors’ job scope only in quotations and had included data protection provisions only in nondisclosure agreements. Additionally, Poh Heng Jewellery did not have clear processes for managing its vendors. Investigations by the PDPC revealed that there was poor documentation of the vendors’ responsibilities, as deployment of the Affected Website was managed mainly via email.

That said, Poh Heng Jewellery’s security measures were found to be adequate relative to its needs and the sensitivity of the personal data it handled. Its security measures at the time of the incident included two-factor authentication, vulnerability scanning, server usage monitoring and an update process for critical plug-ins.

As part of its voluntary undertaking, Poh Heng Jewellery committed to, among others, implementing standard operating processes in relation to vendor risk assessments and onboarding; reviewing contracts with existing vendors in respect of their responsibilities on handling and protecting personal data; obtaining key cybersecurity certifications (e.g., the Cyber Essentials Mark certification and the Cyber Trust Mark certification); and developing a cybersecurity policy, incident response and crisis management policy. The full summary of the undertaking can be found here.

Key takeaways

These cases are a key reminder to organizations of the importance of vigilance against third-party threat actors, particularly by identifying and addressing systemic shortcomings through regular vulnerability assessments and updates to servers and systems, and strengthening access controls.

The Poh Heng Jewellery case also highlights the importance of implementing processes for vendor onboarding and relationship management, as well as documentation that clearly establishes vendors’ work scope and data protection responsibilities.

These cases also highlight the PDPC’s willingness to accept voluntary undertakings as an enforcement outcome.