Background 

The Personal Data Protection Commission (the "Commission") was notified by AEM Holdings Ltd. ("AEM") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data.

Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network ("VPN") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information.

The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the "Incident"). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints.

Remedial Actions

After the incident, as part of a remediation plan, AEM put in place the following measures:

(a) Implemented a third-party vendor cybersecurity risk management policy;

 

(b) Implemented standard contractual clauses for contracting with third-party vendors;

(c) Implemented regular cybersecurity reviews; and

(d) Reviewed and enhanced its data classification policy.

The Commission was also satisfied with the additional actions undertaken by AEM.

Undertaking 

Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the "Undertaking").

The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission's practice with respect to other personal data breaches similar to the one that affected AEM.

AEM has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that AEM has compiled with the terms of the Undertaking.

Please click here to view the Undertaking.