Two recent decisions by the Singapore PDPC. hack of the Protection Obligation by ChampionTutor 14 Oct 2021 A financial penalty of $10,000 was imposed on ChampionTutor for failing to put in place reasonable security arrangements to protect personal data in its possession. The incident resulted in the personal data being exposed. The PDPC became aware that the firm’s data was being sold on the dark web and notified the entity, who had not known about it. Investigation revealed that the entity had been aware of an SQLi vulnerability and had instructed its developers in India to address that, but the developers had not done so, leaving the firm vulnerable and eventually hacked. Click here to find out more. hack of the Protection Obligation by The National Kidney Foundation 14 Oct 2021 A warning was issued to The National Kidney Foundation for failing to put in place reasonable security to protect the personal data in its possession. The incident resulted in personal data being downloaded. This was a case where an employee’s email account was hacked in 2020 after the employee fell for a phishing attack. The email account contained personal and sensitive information on approximately 500 people.  The investigation found that the foundation did not have a risk-based approach to identify employees whose role and functions required them to handle personal and sensitive information. Nor did the organization use more secure authentication processes to access email accounts. Click here to find out more.