In brief
On 31 October 2025, the Personal Data Protection Commission (PDPC) ordered Air Sino-Euro Associates Travel Pte Ltd (“Organization”) to pay a financial penalty of SGD 47,000 for breaching its accountability and protection obligation under the Personal Data Protection Act (PDPA) 2012. The breach resulted in the exfiltration of personal data belonging to 336,759 individuals.
In more detail
Key facts
The Organization’s business involves collecting customers’ personal data for tour group and air ticket bookings for the purpose of making travel arrangements. The data is keyed into and stored in its booking system.
On 21 December 2023, the PDPC was notified of an online news article reporting that a threat actor had targeted the Organization and allegedly extracted data from the Organization during the cyberattack. The PDPC reached out to the Organization, which then confirmed it.
Findings and basis for determination
The PDPC found that the Organization contravened its Accountability Obligation under sections 11(3) and 12 of the PDPA, as it failed to:
- Put in place any internal processes and/or practices, such as complaint-handling and data-handling policies, to meet its data protection obligations and/or communicate such processes/policies to its employees
- Appoint a data protection officer (DPO) until after the cyberattack
The PDPC found that the Organization contravened its protection obligation under section 24 of the PDPA, as it failed to:
- Conduct regular security reviews, as the Organization had failed to implement contractual clauses with its IT vendors on the scope of their responsibilities to carry out regular security reviews of its systems
- Update the outdated operating system, which the threat actor could have exploited to gain access, as it is vulnerable to security risks
- Employ multifactor authentication or require sufficient password complexity for its administrative and user accounts with privileged access to large volumes of confidential or sensitive personal data
Key takeaways
This case is a timely reminder for organizations to maintain strong internal data-handling policies and processes to ensure employees understand and comply with PDPA requirements.
The PDPC also emphasizes the importance of having a DPO who guides the organization in developing data protection policies, conducts a personal data inventory, and reports personal data protection risks.
Additionally, when outsourcing, organizations should implement and document contractual clauses with their vendors to clearly allocate responsibility.
Organizations should practice good cyber hygiene by updating any outdated or unsupported software that may leave their systems vulnerable to security risks, as well as implement strong password policies such as requiring sufficient password complexity and employing multifactor authentication.
Sanil Khatri, Daryl Seetoh, and Natalie Joy Huang, Local Principals, have contributed to this legal update.
* * * * *
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.