The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the "Organisation") on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen adminstrator account credentials to enture the Organisation's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware.
350 employees' personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data.
To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include:
(a) Development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage and secure disposal of data and incident response;
(b) Implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data backups;
(c) Conduct of IT audit reviews on:
(i) Computer devices, hardware and software assets to ensure software and operating systems were updated and patched;
(ii) User accounts to ensure all rights assigned were necessary; and
(d) Conduct of cyber and data protection awareness training for key employees who handle personal data.
Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act (2012). The undertaking was executed on 28 July 2022 (the "Undertaking").
The organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.
Please click here to view the Undertaking.