The Personal Data Protection Commission (the “Commission”) received a data breach notification on 16 June 2021 from JT Legal LLC (“JTL”). JTL stated that it had been subjected to an email phishing attack which allowed the threat actor to access and view files on JTL’s SharePoint. The personal data of approximately 1,006 individuals were at risk. The datasets affected comprised the names, addresses, email addresses, NRIC numbers and passport numbers.
It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, (c) a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations.
After the incident, as part of a remediation plan, JTL promptly implemented the following measures:
(a) Implemented Multi-Factor Authentication for all user accounts;
(b) Secured files and documents using password protection;
(c) Implemented dedicated anti-virus on all computers;
(d) Conducted a review of IT infrastructure;
(e) Implemented further security measures;
(f) Developed an internal reporting system;
(g) Implemented training and awareness programmes for its employees; and
(h) Reviewed and updated its personal data protection policy.
The Commission recognises that JTL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from JTL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 27 August 2021 (the “Undertaking”).
The Undertaking provided that JTL has to complete its implementation of the remediation plan. This includes a professional review of its IT infrastructure and other measures outlined within the remediation plan.
JTL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and is satisfied that JTL has complied with the terms of the Undertaking.
Please click here to view the Undertaking.