Background 

The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited ("SPL") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware.

The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work.

Remedial Actions

After the incident, as part of a remediation plan, SPL put in place measures including:

(a) Reformatted and restored the test server;

(b) Closed the RDP port;

(c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access;

(d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server;

(e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form;

(f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised; 

(g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy;

(h) Ensured that employees do not use easily guessable passwords;

(i) Implemented multi-factor authentication;

(j) Ensured that SPL’s endpoint protection / intrusion detection / prevention detection systems are installed on all servers and endpoints, regardless of whether they are production or test servers/endpoints;

(k) Encrypted all personal data stored on its servers;

(l) Reviewed and updated its internal policies/processes relating to the collection, use, disclosure, protection, and retention of personal data;

(m) Strengthened its incident response plan; and

(n) Implemented periodic penetration testing.

Undertaking 

Having considered the short duration during which the RDP port had been left open, the Organisation’s early detection of the ransomware attack, and the prompt and effective remedial steps taken by SPL to improve its data protection practices thereafter, the Commission accepted an undertaking from SPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 October 2022 (the “Undertaking”).

SPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SPL has complied with the terms of the Undertaking.

Please click here to view the Undertaking.