Singapore: Issued ruling in PDPC investigation into Ecommerce Enablers for possible breach of personal data protection obligations

On 16 August 2023, Singapore's data protection authority, PDPC, issued a ruling following its investigation into Ecommerce Enablers (Case No. DP-2009-B7056) for potential violations of Section 24 of the Personal Data Protection Act 2012 (No. 26/2012). The investigation was opened following a security incident, resulting in a fine of SGD 74'400. PDPC determined that Ecommerce Enablers had breached its obligations to safeguard personal data within its possession or control. This breach occurred due to their failure to establish secure processes for managing the AWS keys that granted access to the company's servers. Moreover, E-commerce Enablers did not conduct regular security reviews to ascertain whether the AWS keys had been compromised.