The DataPost incident is a third-party risk management failure with a specific structural cause: print-and-mail vendors sit outside the security perimeter of their clients but hold data in its most exposure-ready form, formatted and addressed for physical delivery. That combination of sensitive PII, low security maturity, and high data concentration makes document fulfilment providers a systematically underrated attack surface. PDPC's investigation will likely turn on whether Income's vendor due diligence and contractual security requirements met the accountability obligations under PDPA, not just whether Income's own systems were hardened.
The DataPost incident is a third-party risk management failure with a specific structural cause: print-and-mail vendors sit outside the security perimeter of their clients but hold data in its most exposure-ready form, formatted and addressed for physical delivery. That combination of sensitive PII, low security maturity, and high data concentration makes document fulfilment providers a systematically underrated attack surface. PDPC's investigation will likely turn on whether Income's vendor due diligence and contractual security requirements met the accountability obligations under PDPA, not just whether Income's own systems were hardened.