Singapore: Issued Personal Data Protection Commission ruling following investigation into Carousell's data breach

On 28 December 2023, Singapore's Data Protection Authority (PDPC) imposed a financial penalty of SGD 58'000 on Carousell, an e-commerce platform, for failing to implement reasonable security measures to protect its users' personal data. The PDPC also directed Carousell to review its software testing procedures and processes for documenting software specifications and rectify any identified risks within 90 days. This ruling followed two data breach incidents in 2022, where Carousell was found to have breached its obligation under section 24 of the Personal Data Protection Act 2012 (PDPA).