The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 April 2020 from Thye Hua Kwan Moral Charities Limited (“THKMC”), after THKMC discovered that its website was hacked. Investigations revealed that malicious actors had gained access to the web content management system, by altering a web configuration file which had been left in a public directory without protection for the usage of the file. The employee tasked with the administration of the website lacked the requisite technical knowledge and awareness of basic website security features and cyber security hygiene.
As a result, the personal data of 550 volunteers was at risk of unauthorised access. However, investigation by THKMC found no evidence of data loss or access by third party visitors. The types of personal data which were at risk included the volunteers’ names, residential telephone numbers, mobile numbers, email addresses, residential addresses, dates of birth, volunteering experiences, and interests.
After the incident, as part of the remediation plan, THKMC:
(a) engaged a professional web development vendor to re-build its website to conform with established web security standards and the Open Web Application Security Project (OWASP) guidelines;
(b) took preventive measures to harden the website by subscribing to cyber security threat monitoring software and updating the Firewall IP tables with the blacklisted IPs of past attackers;
(c) discontinued the storage of personal data on its new website. The volunteer sign-up page and database were outsourced to a third -party cloud-based volunteer management portal which has a set of security controls to protect the personal data that it collects;
(d) migrated internal report submission services from the THKMC internet website to THKMC intranet staff portal, which is a more secured environment;
(e) assigned control of website administration (previously administered by its Corporate Communications Department) and operations hosted by Amazon Web Services to its IT Department;
(f) implemented mandatory annual cyber security training and online quiz for all THKMC staff. Staff from the IT department are also required to attend relevant training courses to upgrade their knowledge and competency in cyber security;
(g) implemented periodic unannounced phishing exercises to test the alertness of staff to cyber threats;
(h) made enhancements to its end point protection and email security; and
(i) developed a cyber security policy and an incident response and crisis management policy.
Having considered the circumstances of the case, including the remedial steps taken by THKMC to improve its personal data protection practices, the Commission accepted an undertaking from THKMC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”).
Please click here to view the Undertaking.