Singapore: Issued ruling in PDPC investigation into PPLingo Pte Ltd for alleged breach of data protection measures

On 24 October 2023, the Personal Data Protection Commission (PDPC) issued a ruling in their investigation into PPLingo Pte Ltd for an alleged breach of data protection measures. The investigation began after the PDPC received notification of a data breach involving unauthorised access to personal data on PPLingo’s online education platform. The PDPC initiated the investigation to determine PPLingo’s compliance with the Personal Data Protection Act 2012 (PDPA) in relation to the incident. The PDPC established that PPLingo's operations support system was compromised, and user data was extracted by a threat actor. The Commission’s investigation focused on whether the organisation had breached its obligations under Section 24 of the PDPA to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. As a result, the PDPC issued a financial penalty of USD 74'000 for PPLingo’s negligent contraventions of the Accountability Obligation and Protection Obligation.