Background 

On 4 January 2022, OG Private Limited (the "Organisation") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data.

Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained "dummy data" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals.

The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd ("Poket") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases.

Remedial Actions

After the incident, as part of a remediation plan, the Organisation implemented the following:

(a) SQL injection prevention enhancement;

 

(b) Streamline data storage;

(c) Harden web portal security;

(d) Implement annual security review; and

(e) Tighten protocols for contracting with 3rd party vendors.

Undertaking 

Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the "Undertaking").

 

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.

Please click here to view the Undertaking.