On 30 May 2025, the Singapore Teachers’ Co-operative Society Limited (“Organisation”) executed a voluntary undertaking to improve its compliance with the Personal Data Protection Act 2012 (PDPA). This followed from a data breach that saw the unauthorized access and exfiltration of personal data of the Organisation’s members.
Contents
Key facts
The Organisation provides a range of financial products and services to its members. On 11 November 2024, the Organisation notified the PDPC that a threat actor had exploited vulnerabilities on its website to perform structured query language (SQL) injection attacks to exfiltrate personal data of the Organisation’s members.
The affected personal data included the members’ NRIC number, address, email address, telephone number, nationality, race, gender, marital status, date of birth, age, highest academic qualification, designation, employment status, date of employment/joining the Society, and membership type. The threat actor subsequently used the personal data to send phishing emails to at least 153 members.
Undertaking
The Organisation undertook the following measures:
- Audit its internal processes against the PDPC’s Data Protection Essentials and the Cybersecurity Agency of Singapore’s Cyber Essential Mark requirements
- Develop an outsourcing management policy
- Perform data protection impact assessments
- Establish an agreement with the vendor managing the Organisation’s website to address security requirements
- Complete the data inventory map documenting the data shared with external parties
- Perform due diligence checks on all vendors
- Revamp its website
- Perform web application penetrating testing on its website and ensure that all identified vulnerabilities are remediated
- Review and update its IT and data protection policies
- Implement additional technical measures to improve its cyber security
The PDPC will verify whether the Organisation complies with the undertakings and issue a direction to ensure the Organisation’s compliance if necessary.
Key takeaways
This case highlights how vulnerabilities in web applications can be exploited to exfiltrate extensive personal data and how threat actors may further leverage them to conduct phishing attacks. To protect against these risks, organisations should strengthen their data protection and cybersecurity practices, including regularly assessing their web applications and digital infrastructure for potential vulnerabilities. To this end, the undertakings made by the Organisation serve as a good checklist for ensuring compliance with PDPA.
© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
