Background 

The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details. 

It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices.

Remedial Actions

After the incident, as part of a remediation plan, Seafront Support:

(a) engaged an external IT consultant to manage its IT system; 
(b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system;
(c) developed and implemented an IT security policy;
(d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and
(e) instructed staff to back-up their files daily on separate cloud-based storage.

Undertaking 

Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”). 

The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading its firewall to strengthen protection of its IT system.

Seafront Support has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Seafront Support has complied with the terms of the Undertaking.

Please click here to view the Undertaking.