Background

The Personal Data Protection Commission (the “Commission”) was notified by Sunray Woodcraft Construction Pte. Ltd. (the “Organisation” or “SWCPL”) on 11 May 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data (the “Incident”).

Investigations revealed that a malicious actor had utilised a ransomware-as-a-service against SWCPL’s corporate environments, by exploiting vulnerabilities or using compromised credentials.

While the exact cause of the breach could not be determined, the malicious actor encrypted the Organisation’s files containing the personal data of 2,130 individuals who were the Organisation’s current or ex-employees or who had previously sought employment with the Organisation. The types of personal data affected included the name, address, NRIC number, passport number, date of birth, contact information, photographs, and payroll information. In addition, for 689 individuals out of the 2130 individuals affected, their personal email address was also affected.

Remedial Actions

Upon discovery of the Incident, SWCPL had taken prompt remedial actions including tightening the access controls to sensitive system interfaces, updating the latest patches to the firewall, strengthening the firewall rules, resetting the privileged accounts and passwords, and deploying an Endpoint Detection and Response software to continuously monitor end-user devices within its network. 

Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from SWCPL to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 25 October 2023.

As part of the Undertaking, SWCPL implemented the following:

(a) Engaged Telstra Singapore for Cyber Detection and Response services to manage and oversee its IT environment;

(b) Implemented risk assessments on any changes towards its environment to identify the potential impacts and minimize risks;

(c) Transmit and retain logs for 90 days using Telstra’s Security Operations Centre;

(d) Deployed a vulnerability scanner to regularly scan assets;

(e) Enhanced its backup solution to utilise a secured cloud-based data storage;

(f) Keep an inventory of hardware/software assets and user accounts;

(g) Implemented a Personal Data Protection policy and an Incident Response plan;

(h) Enforced multi-factor authentication for all VPN users; and

(i) Implemented Group Policy Object policies to ensure users do not use default usernames and simple passwords, and to enforce account lockouts after several failed login attempts.

The Commission was satisfied with the Undertaking proposed by SWCPL and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected SWCPL.

SWCPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that SWCPL has complied with the terms of the Undertaking.

Please click here to view the Undertaking.