In brief
On 26 February 2026, the Personal Data Protection Commission (PDPC) announced that it had issued a financial penalty and directions against an organisation and its subsidiary for contravening the Personal Data Protection Act 2012 (PDPA)'s Protection Obligation. The decision involved a ransomware incident affecting a shared network managed by a B2B e-commerce service provider. Investigations revealed security lapses within the organisations, including unpatched systems, weak access controls, and failure to enforce multi-factor authentication.
The PDPC also announced its acceptance of voluntary undertakings from three companies. Each incident likewise concerned separate ransomware and system compromises, arising from weaknesses including lack of multi-factor authentication, outdated systems, and inadequate monitoring.
The cases highlight the increasing prevalence of ransomware attacks, and the importance of putting in place sufficiently robust technical and governance controls to defend against these threats.
In more detail
SESAMi (Singapore) Pte Ltd and Abecha Pte Ltd
In 2024, a threat actor accessed SESAMi (Singapore) Pte Ltd's ("SESAMi") servers and encrypted files in a shared drive that contained personal data, holding the data for ransom. Approximately 39,000 individuals' personal data, including bank and credit card details, was rendered inaccessible due to the attack.
Investigations established a number of lapses that could have contributed to the incident:
a) Important security software had not been installed or kept up-to-date
b) Password and access control management were insufficient – in particular, password rotation was not implemented, and access control policies, which included the requirement for multi-factor authentication for administrator accounts, were not strictly enforced
c) Files containing personal data were not encrypted at the file level.
The PDPC found that SESAMi contravened the Protection Obligation under Section 24 of the PDPA for the above reasons.
Abecha Pte Ltd ("Abecha"), SESAMi's subsidiary, shared the drive with SESAMi, and was similarly found to have breached the Protection Obligation. Though the PDPC acknowledged that Abecha, as a subsidiary, did not have the autonomy to depart from centrally-managed group-level security arrangements, it stated that subsidiaries are still required to comply with a minimum standard of conduct in such situations. Namely, subsidiaries should (i) consider whether group-level data protection policies need to be adapted to their circumstances and contexts, before adopting them; and (ii) where there is a centralisation of corporate functions, ensure that group-level policies are put in place in a manner such that roles and responsibilities are clear. Abecha was found to have fallen short of this minimum standard.
Voluntary Undertakings - Cycle & Carriage Industries Pte Ltd, Lian Beng Group Pte Ltd and subsidiaries, St Francis Methodist School (International) Ltd
As mentioned, all three undertakings likewise concerned ransomware and system compromises. The causes of the attacks were inadequate security measures, including:
a) The use of outdated systems without extended security updates; lack of multi-factor authentication; and the absence of an account lockout policy after failed login attempts
b) Failure to consistently audit, manage and review backend service accounts, and rotate passwords.
One of the organisations also retained records containing personal data beyond their retention periods.
Following the undertakings, the organisations agreed to take steps to strengthen their security measures, including the following:
a) Deploying updated systems, with implementation of asset lifecycle monitoring to prevent end-of-life system vulnerabilities
b) Implementing multi-factor authentication
c) Strengthening service account security through mandatory credential rotation, and restricting dormant accounts
d) Establishing policies against persistent external access and credential-sharing
e) Enforcing strict password policies with account lockout mechanisms
f) Data retention compliance by regularly reviewing and enforcing departmental policies for stored personal data
g) Enhancing cybersecurity systems and network security features
h) Backup system upgrades with enhanced encryption and security features
i) Carrying out vulnerability assessments and penetration testing, and security audits, on systems regularly
j) Implementing comprehensive cybersecurity training programs
k) Implementing security awareness training for administrators and developers
l) Assessing suitability for Cyber Essentials and Data Protection Trustmark certifications
m) Implementing data minimisation practices.
Key takeaways
Ransomware risks remain pervasive and a top regulatory concern. Unpatched systems, weak password and access controls, and failure to consistently review and manage active accounts are key sources of vulnerabilities, which can expose individuals' personal data and lead to enforcement action by the PDPC.
These cases are a keen reminder of risks that companies may face, and measures they can adopt to protect themselves and the individuals whose personal data they possess and control.
Organisations should ensure that they invest in and implement prevention and remediation measures as part of their cybersecurity and data protection compliance strategy.
* * * * *
Sanil Khatri, Daryl Seetoh, and Natalie Joy Huang, Local Principals, have contributed to this legal update.
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.