Background 

The Personal Data Protection Commission (the “Commission”) was notified by HSL Constructor Pte Ltd (“HSL”) on 7 October 2021 that it was subject to ransomware attack on 30 September 2021. As a result of the attack, 3 of its servers and a Network Attached Storage (“NAS”) were encrypted by ransomware.

Personal data of 758 current and former HSL employees were encrypted. The personal data included their name, NRIC number, residential address, email address, family information, salary information and medical information. The Commission noted that there was no evidence of exfiltration of the data.

It was established that the threat actor(s) had likely gained access to HSL’s network by exploiting the vulnerabilities present in the outdated software used on 2 of its servers, or using compromised credentials.

Remedial Actions

After the incident, as part of a remediation plan, HSL:

(a) Implemented multifactor authentication for all administrator access, for users with administrative privileges, and for accounts with access to sensitive data/ systems;
(b) Supplemented existing email reminders on cybersecurity best practices with regimented user awareness training;
(c) Decommissioned all servers running Windows Server 2008 R2 and below;
(d) Installed endpoint protection on all servers;
(e) Patched all servers and firewall;
(f) Reset all admin account passwords; and
(g) Closed unused ports on its firewall.

Undertaking 

Having considered the circumstances of the case, including the remedial steps taken by HSL to improve its data protection practices, the Commission accepted an undertaking from HSL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2022 (the “Undertaking”).

HSL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that HSL has complied with the terms of the Undertaking.