Singapore’s Personal Data Protection Commission (PDPC) has taken enforcement action against a B2B e-commerce service provider and three other organizations after ransomware attacks compromised personal data, affecting approximately 39,000 individuals. The incidents, which occurred earlier this year, have raised concerns over data security and corporate compliance with data protection laws.

Security Failures Exposed Sensitive Information

The PDPC’s decision, issued on 26 February 2026, relates to a ransomware attack on a shared network managed by a B2B e-commerce service provider. The attack rendered inaccessible the personal data of around 39,000 individuals, including bank and credit card details. According to the commission, the breach was due to multiple security lapses, including unpatched systems, weak access controls, and a failure to enforce multi-factor authentication.

“The organisation was found in breach of the Protection Obligation under the Personal Data Protection Act (PDPA),” said a PDPC statement. The commission has directed the company to strengthen its security posture and implement measures to prevent future incidents.

Three Companies Agree to Undertakings

In addition to the decision, the PDPC accepted three undertakings from different organizations that were affected by ransomware and system compromise incidents. These incidents involved personal data such as employees’ and customers’ contact details, identification numbers, and bank account information. The breaches were attributed to weaknesses such as the lack of multi-factor authentication, outdated systems, and inadequate monitoring.

The companies have committed to taking prompt remedial actions and implementing stronger technical and governance controls, as outlined in their undertakings. The PDPC said it considered the proactive steps taken by these organizations in deciding to accept the undertakings rather than issuing formal penalties.

Impact on Consumers and Businesses

The breaches have raised concerns among consumers about the security of their personal data, particularly financial information. For individuals affected by the ransomware attack, the loss of access to their bank and credit card details could lead to identity theft or financial fraud. Financial institutions may face increased claims and reputational damage, while businesses may suffer from operational disruptions and loss of customer trust.

“This is a wake-up call for organisations handling personal data to ensure they are compliant with the PDPA and have strong security measures in place,” said a data privacy expert. The incidents also highlight the growing threat of ransomware attacks targeting businesses in Singapore and the need for stronger cyber defenses.

The PDPC has urged organisations to conduct regular security audits, update their systems, and train employees on best practices for data protection. The commission also emphasized the importance of promptly reporting data breaches to the PDPC and taking immediate steps to mitigate harm to affected individuals.

The enforcement actions taken by the PDPC come amid a rise in cyberattacks globally, with ransomware being a particularly prevalent threat. In recent years, similar incidents have been reported in other jurisdictions, including the United States, the United Kingdom, and Australia. These attacks have led to significant financial losses, legal liabilities, and reputational damage for affected organizations.

The PDPC’s decision and the three undertakings are part of its ongoing efforts to enforce compliance with the PDPA and protect individuals’ personal data. The commission has also introduced new guidelines and enforcement measures to address the growing risks posed by cyber threats.

Experts believe that the enforcement actions taken by the PDPC will serve as a deterrent to other organizations and encourage them to invest in better data security practices. However, they also warn that the threat of ransomware attacks is likely to continue to evolve, requiring constant vigilance and adaptation by businesses and regulators alike.

The PDPC has not disclosed the names of the companies involved in the three undertakings, citing confidentiality. However, it has stated that the organizations have committed to specific remedial measures, including implementing stronger access controls, updating their systems, and enhancing their monitoring capabilities.

The PDPC’s actions are expected to have a broader impact on the business community in Singapore, prompting organizations to review their data protection policies and invest in better cybersecurity measures. The commission has also announced plans to conduct more audits and inspections in the coming months to ensure compliance with the PDPA.