Background

The Personal Data Protection Commission (the “Commission”) received a data breach notification on 18 June 2020 from DLI Asia Pacific Pte Ltd (“DLIAP”), informing that a ransomware attack had infected one of its file servers (“the File Server”), affecting the personal data of approximately 848 individuals. The affected datasets comprised the affected individuals’ names, addresses, contact numbers, dates of birth, marital status, insurance policy details, insurance premiums, passport copies, education background, employment details and/or salary information.

It was established that DLIAP had not implemented adequate security measures to protect the personal data in the File Server at the time of the incident. In particular, there were insufficient controls to regulate access to the File Server via a virtual private network (“VPN”). The server hosting the VPN had not been patched, and the same credentials were used to access both the File Server and the VPN .  

Remedial Actions

After the incident, as part of a remediation plan, DLIAP :
(a) Implemented multi-factor authentication to strengthen VPN login; 
(b) Implemented different user accounts for VPN and File Server access;
(c) Implemented a virtual desktop for its IT vendor with activity monitoring;
(d) Engaged a security consultant to review its current IT infrastructure and propose enhancements; 
(e) Implemented additional security monitoring by a different IT vendor;
(f) Improved patch update & management processes;
(g) Established thorough file management rules for cloud storage of data;
(h) Implemented email rules including password rules for attachments; and
(i) Implemented compliance training for DLIAP’s employees;

Undertaking

The Commission recognises that DLIAP has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from DLIAP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 22 December 2020 (the “Undertaking”). 

The Undertaking provided that DLIAP was to complete implementation of its remediation plan by reviewing its internal policies relating to the handling of personal information.

DLIAP has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that DLIAP has complied with the terms of the Undertaking. 

Please click here to view the Undertaking.