Singapore: Issued PDPC ruling following investigation into Whiz Communications for breaching data protection obligations under PDPA

On 21 March 2024, the Singapore Personal Data Protection Commission (PDPC) ruled that Whiz Communications failed to adequately protect customers' personal data and imposed a financial penalty of SGD 9'000. The ruling follows an incident where the organisation's customer management system (CMS) was exploited for unauthorised exfiltration of customer personal data, including identification documents and supporting documents. The organisation admitted to breaching the security obligations under the Personal Data Protection Act (PDPA) and took remedial actions post-incident.