On 3 April 2021, “K” Line Pte Ltd, "K" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd (the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) that they had been subjected to malware attacks. These three related Organisations are Singapore registered subsidiaries of Kawasaki Kisen Kaisha Ltd, a foreign registered holding company. On 18 March 2021, the Organisations were informed of a cyber incident by an overseas affiliate, also a subsidiary of Kawasaki Kisen Kaisha Ltd. An account belonging to the affiliate, which had high privilege and access rights was compromised in the incident. The compromised account was then used to launch malware attacks on the Organisations’ IT environment in Singapore.
In total, the personal data of about 2,148 individuals, which included the current and ex-employees and scholarship applicants, from these three Organisations was affected. The personal data included the name, address, NRIC number, passport number, nationality, photograph, family details, medical information and bank account number.
After the incident, as part of a remediation plan, the Organisations:
(a) Reinforced the use of built-in password protection capability for sensitive documents and use of desktop encryption tool by all staff. The Organisations also supplemented existing email reminders on cybersecurity best practices with regimented user awareness training;
(b) Reviewed the Access Control List for network traffic between the Organisations and their affiliates;
(c) Reviewed the administrative rights and access of the servers between the Organisations and their affiliates;
(d) Changed their password policy settings and a global exercise to update all users and system account credential;
(e) Employed cybersecurity analyst to perform Security alerts triage and IT security projects;
(f) Implemented 2FA for servers remote access;
(g) Implemented 2FA for remote access by user via Virtual Private Network (VPN);
(h) Conducted a threat analysis of the Organisation group companies’ active directory, servers and client PCs that are connected to the Organisation’s network;
(i) Deployed threat detection tools;
(j) Implemented an e-Learning program;
(k) Established a service agreement with a security vendor for 24/7 Managed, Detect & Response (MDR);
(l) Implemented vulnerability testing on IT systems to be conducted by a security vendor;
(m) Implemented system hardening and USB enforcement;
(n) Implemented encryption solution to protect its database and file system;
(o) Expanded firewall capability to perform scanning on encrypted network packet, mitigate potential malicious payload hiding under HTTPS encrypted traffic; and
(p) Engaged external consultant to provide cybersecurity awareness campaign to increase general workforce awareness and knowledge to handle cyber risks.
Having considered the circumstances of the case, including the comprehensive remedial steps taken by the Organisations to improve their data protection practices, the Commission accepted an undertaking from the Organisations to improve their compliance with the Personal Data Protection Act 2012. The undertakings were executed on 8 September 2021 (the “Undertakings”).
The Organisations have since updated the Commission that they have completed the implementation of their remediation plan. The Commission has reviewed the matter and determined that the Organisations have complied with the terms of the Undertakings.