On 21 May 2025, Ready Digital Pte. Ltd. (“Organisation”) executed a voluntary undertaking to improve its compliance with the Personal Data Protection Act 2012. This followed from a cyberattack where personal data was deleted from the Organisation’s backup database on a development server located on the Organisation’s premises.
Contents
Key facts
The Organisation is a startup leveraging advancements in sensors, artificial intelligence and data analytics to transform senior care. On 17 October 2024, the Organisation notified the PDPC that a threat actor had exploited an open port on a development server intended for remote access. This vulnerability arose from a misconfiguration by the Organisation’s outsourced developer, which allowed remote access from any IP address without requiring login credentials.
As a result of the cyberattack, the personal data of 155 individuals — including customers, next-of-kin, caregivers, as well as current and former employees — were deleted. The compromised data included the individuals’ names, last four characters of their NRIC numbers, contact numbers, addresses, next-of-kin contact details, and the nature of the relationship with the next-of-kin.
Undertaking
As part of the undertaking, the Organisation will be implementing the following:
- Implement a comprehensive vendor management policy
- Provide staff with training on network security
- Update security policies with periodic reviews
- Obtain the Cyber Security Agency of Singapore’s Cyber Essential Mark Certification by October 2025
The PDPC will verify whether the Organisation complies with the undertakings and, if necessary, issue a direction to ensure the Organisation’s compliance.
Key takeaways
This case highlights the critical importance of robust vendor oversight, stringent access management and secure coding practices. This case serves as a reminder that even early-stage companies and start-ups should be vigilant with regard to data protection and cybersecurity from the outset of their operations.
© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
