Background

On 27 October 2022, Personal Data Protection Commission (the “Commission”) received a data breach notification from Yayasan Mendaki (the “Organisation”) informing that its on-premises VMWare ESXi servers were encrypted by a ransomware (the “Incident”).

As a result of the Incident, the personal data of approximately 72,917 individuals, including their names, NRIC numbers, date of birth, phone numbers, email addresses and bank account details were encrypted and rendered inaccessible.

A total of 2.7TB of data was also exfiltrated from YM’s servers but could not be confirmed to have contained any personal data. Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale.

Investigation revealed that the Organisation had failed to remove the internet connectivity of a decommissioned web server. The threat actor(s) was believed to have exploited the vulnerabilities of the unpatched web server and then moved laterally to the other servers.

Remedial Actions

Upon discovering the incident, the Organisation immediately took the following actions:

(a) Disconnected the on-premises network from the internet; and

(b) Reset all user account passwords and performed a reset of the KRBTGT account.

The Organisation also notified all potentially affected individuals of the Incident.

Undertaking

Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted a voluntary undertaking on 23 May 2023 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (“PDPA”).

The Commission accepted the Undertaking after considering that the Organisation is a self-help group targeted at uplifting the Malay/Muslim community in Singapore, and the scale and potential impact of the Incident. Even though the Organisation’s servers and personal data had been encrypted, Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale and if the exfiltrated data contained any personal data.

Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation and the Commission’s policy of reserving the imposition of a financial penalty only in the most serious instances of a breach of the PDPA.

The Organisation also provided a comprehensive Undertaking that sought to rectify the gaps identified during our investigations. As part of the Undertaking, the Organisation decommissioned the entire on-premises network to migrate to a cloud-based network and implemented technical measure such as two-factor authentication, network access via virtual private network and IP restrictions to improve its authentication and access control measures. The Organisation also reviewed and updated all its IT security policies and practices.

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.

Please click here to view the Undertaking.