Undertaking by Moncler Singapore Pte Ltd

Background 

The Personal Data Protection Commission (the “Commission”) was notified by Moncler Singapore Pte. Limited (“Moncler”) on 24 February 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data.

 

Investigations revealed that a malicious actor had utilised a sophisticated ransomware-as-a-service against Moncler’s corporate environments, possibly by using compromised credentials, vulnerability exploits, or spear-phishing. However, the exact cause of the breach could not be determined.

 

The malicious actor successfully deployed ransomware, encrypting and exfiltrating the personal data of 8,570 individuals (the “Incident”). The personal data affected included the name, date of birth, contact information, and purchase data of 8,561 customers, and the name, date of birth, contact information and payroll data of 9 employees.

Remedial Actions

After the Incident, as part of a remediation plan, Moncler put in place the following measures:

(a)  Enhancing current cybersecurity training and awareness capabilities;

(b)  Extending and refining Business Impact Analysis;

(c)  Reviewing and improving its identity governance and access management solutions;

(d)  Reviewing the security posture of the servers;

(e)  Formalizing the application of its Vulnerability Management Process;

(f)   Formalizing an IT Asset Management Program;

(g)  Performing network security assessments;

(h)  Improving Security Operation Center capabilities; and

(i)   Implementing a configuration management database solution.

 

The Commission was satisfied with the remedial actions undertaken by Moncler.

Undertaking 

Having considered the circumstances of the case, the Commission accepted an undertaking from Moncler to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 29 June 2022 (the “Undertaking”).

 

The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected Moncler. 

 

Moncler has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that Moncler has complied with the terms of the Undertaking.

Please click here to view the Undertaking.