Background

The Personal Data Protection Commission (the “Commission”) was notified by Low Keng Huat (Singapore) Limited (“LKHS”) on 4 July 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data.

Investigations revealed that a malicious actor had gained initial access to LKHS's IT environment remotely. The firewall was not configured and therefore unable to block malicious traffic. The vendor was responsible for managing the firewall system, and no testing was conducted before the system went live after an upgrade. As a result, server logs were missing during that period, and security threat protection was not enabled in the system. The malicious actor likely exploited a critical vulnerability to obtain LKHS's workstation credentials and compromise email accounts.

The malicious actor successfully deployed ransomware, encrypting and/or exfiltrating the personal data of 1,400 individuals (the “Incident”). The personal data affected included their personal contact information, emails, IC and passport scans, date of birth, sale and purchase agreements, and option to purchase documents. LKHS has been conducting monitoring and has not found any evidence to suggest that the personal data affected in the incident has been misused.

Remedial Actions

After the Incident, as part of a remediation plan, LKHS put in place the following measures:

(a) Patched all software and outdated firmware.

 

(b) Updated and completed all IT hardware and software asset lists.

 

(c) Implemented clear vendor management and account responsibilities processes.

 

(d) Reviewed and resolved firewall issues and eliminated the need for VPN.

 

(e) Implemented strong security settings for servers and updated all workstations with endpoint protection.

 

(f) Implemented 2FA and more stringent password policies.

 

(g) All LKHS’s accounts have undergone a successful security audit, with evidence of log file visibility.

 

(h) Scheduled a yearly cybersecurity and IT training for all staff.

 

(i) Implemented new software and patch management policy. 

 

The Commission was also satisfied with the additional remedial actions undertaken by LKHS.

Undertaking

Having considered the circumstances of the case, the Commission accepted an undertaking from LKHS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2023 (the "Undertaking").

The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected LKHS. 

LKHS has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that LKHS has complied with the terms of the Undertaking.

Please click here to view the Undertaking.