The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 July 2022 from Tat Hong Heavyequipment (Pte.) Ltd (“Organisation”) regarding a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storage were affected.
The personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored.
After the incident, as part of a remediation plan, the Organisation implemented the following:
(a) Hardening of perimeter firewall and fine tune firewall configurations;
(b) Periodic vulnerability assessment and penetration testing done annually or after major systems upgrades;
(c) Redesign network so that all traffic will through the main firewall for better visibility, monitoring and logging;
(d) Implement multi-factor authentication for privileges and high-risk connections;
(e) Ensure that all active PC and server are installed with Endpoint Detection and Response;
(f) Upgrade existing HRMS that complies with latest industry standard encryption alogrithm;
(g) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise.
Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 October 2022 (the “Undertaking”).
The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.
Please click here to view the Undertaking.