Baker McKenzie Baker McKenzie
How Can We Help?
  • Home
  • Insight
  • Publications
  • Singapore: PDPC Fines Several Organizations
30 January 2026

Singapore: PDPC Fines Several Organizations

In brief

On 8 January 2026, the Personal Data Protection Commission (PDPC)  announced that it had issued financial penalties against several organizations for contravening  the protection obligation under the Personal Data Protection Act 2012 (PDPA). The cases underline the PDPC’s continuing expectation that organizations, particularly those handling high volumes of personal data, should implement and maintain reasonable security arrangements proportionate to their risk profile.

In more detail

People Central Pte Ltd.

On 8 January 2026, the PDPC ordered People Central Pte Ltd. (“People Central”) to pay a financial penalty of SGD 17,500 for breaching its protection obligation under the PDPA. The breach resulted in the deletion of databases and exfiltration of personal data belonging to 95,000 individuals, which was likely found for sale on the dark web.

People Central is a Software-as-a-Service (SaaS) provider that offers online HR SaaS solutions.

On 29 April 2024, People Central received an extortion email from a threat actor and, upon conducting an internal investigation, determined that the threat actor had deleted databases and likely exfiltrated personal data that included the personal data of 95,000 employees of People Central’s clients. Further, the personal data of 24,765 individuals who were the emergency contacts and/or children of the employees had also been put at risk of unauthorized access.

Investigations revealed that the following lapses and weak access controls, such as lack of two-factor authentication and insufficient security testing, might have contributed to the incident.

The PDPC found that People Central contravened its protection obligation under section 24(a) of the PDPA, as it failed to:

  1. Conduct reasonable periodic security review and provide multiple layers of security
  2. Conduct vulnerability assessments periodically, such as vulnerability scanning and assessments post deployment, as well as penetration testing

 

Singapore Data Hub Pte Ltd.

On 7 April 2025, the PDPC ordered Singapore Data Hub Pte Ltd. (“Singapore Data Hub”) to pay a financial penalty of SGD 17,500 for breaching its protection obligation under the PDPA. The breach resulted in the exfiltration of personal data belonging to 689,000 individuals, which was likely posted on a web hacking forum on 6 May 2024.

Singapore Data Hub is a SaaS provider that possesses a high volume of personal data on behalf of its clients. As part of its services, Singapore Data Hub’s enters the personal data of its client’s customers into its systems.

Investigations revealed that there had been unauthorized access within Singapore Data Hub’s network on two occasions by at least two threat actors on 28 April 2024 (the first incident) and 14 June 2024 (the second incident) respectively.

It was also revealed that the following likely contributed to both incidents:

  1. The affected web servers were publicly accessible, ran outdated operating systems and lacked security testing.
  2. Singapore Data Hub had not implemented access control measures such as firewalls, monitoring tool(s), multifactor authentication, encryption and network segmentation.

The PDPC found that Singapore Data Hub contravened its protection obligation under section 24(a) of the PDPA, as it failed to:

  1. Provide reasonable access controls, such as implementing and enforcing a strong password policy with a minimum level of password complexity
  2. Conduct reasonable periodic security reviews, such as conducting vulnerability scanning and assessments, such as regular patching or upgrades of important software

 

Key takeaways

These cases are timely reminders that poor cyber hygiene measures, such as weak password policies and infrequent updates, expose organizations to data breaches and enforcement action by the PDPC for breaches of the PDPA. Additionally, the PDPC has mentioned that organizations such as SaaS providers should possess the necessary technical expertise to implement reasonable cybersecurity measures to address evolving threats. Finally, businesses in the technology sector face higher expectations to take appropriate and reasonable security arrangements to protect personal data in their possession or control.

Organizations should ensure that they invest in and implement prevention and remediation measures as part of their cybersecurity and data protection compliance strategy.

Sanil Khatri, Daryl Seetoh, and Natalie Joy Huang, Local Principals, have contributed to this legal update.

* * * * *

© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Explore More Insight
View All