This month, the Commission has issued one Decision and three Undertakings.

 

The Decision relates to a ransomware incident affecting a shared network managed by a B2B e-commerce service provider. Approximately 39,000 individuals' personal data, including bank and credit card details, was rendered inaccessible due to the attack. Investigations found security lapses such as unpatched systems, weak access controls and failure to enforce multi-factor authentication. The Commission found the organisation in breach of the Protection Obligation and issued directions for it to strengthen its security posture.

 

The three Undertakings concern separate ransomware and system compromise incidents across different sectors. The incidents involved personal data such as employees’ and customers’ contact details, identification numbers and bank account information, and arose from weaknesses including lack of multi-factor authentication, outdated systems and inadequate monitoring.In accepting the Undertakings, the Commission considered the prompt remedial actions taken and the organisations’ commitments to implement stronger technical and governance controls.

Key Takeaways for Organisations

• Implement and strictly enforce multi-factor authentication for administrator, VPN and privileged accounts
• Maintain robust patch management processes and avoid operating on end-of-life systems
• Enforce strong password policies with rotation and account lockout mechanisms
• Conduct regular vulnerability assessments and periodic security reviews
• Implement network segmentation, logging and monitoring to detect suspicious activity early
• Review data retention practices and minimise the collection and storage of sensitive personal data 

Access the Decision and Undertakings respectively.