The Personal Data Protection Commission (the “Commission”) received a data breach notification on 1 April 2022 from Murata Machinery Singapore Pte Ltd (“Organisation”) regarding a ransomware attack on its back-end servers on 31 May 2022, causing personal data stored within to be encrypted.
The personal data of 200 individuals affected included names, addresses, email addresses, contact numbers, NRIC/FIN and passport numbers, date of birth, salary and bank account numbers.
After the incident, as part of a remediation plan, the Organisation implemented the following:
(a) Replaced existing firewall and VPN client with more complete security features;
(b) Implemented MFA before re-allowing use of VPN access into its server and a lockout threshold of 5 failed attempts for the VPN clients’ logins as an added security;
(c) Restricted Remote Desktop Protocol (“RDP”) as a default setting to disallow remote access to its backend servers on regular days and only allowed RDP for planned maintenance tasks;
(d) Implemented automated offline backups of the contents of the server in the form of a tape drive;
(e) Implemented regular manual data backup to encrypted hard disks that will be kept under lock and key;
(f) Deployed suitable encryption software to encrypt server directories containing personal data;
(g) Periodically off-load low use personal data to an encrypted external hard disk ti be kept under lock and key offline;
(h) Engaged vendor to regularly update and maintain its firewall, VPN client, to monitor traffic of its IT network for illegal access and to fulfill the following:
i. Conduct regular audit to computer devices to ensure software and OS updated and patched;
ii. Conduct regular review and audit to domain user accounts and computer devices to cleanup unused accounts;
iii. Implemented local administrator password solution for domain user computer devices; and
iv. Enforced server message block signing to encrypt traffic between domain user computer devices and backend servers.
Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 22 August 2022 (the “Undertaking”).
The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.