Background

Megachem Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 6 May 2025 that a threat actor (“TA”) had executed a ransomware attack that compromised its IT environment, resulting in its file servers being encrypted and data exfiltrated subsequently (the “Incident”).

The Organisation established that the TA had gained unauthorised access to the Organisation’s servers located in Singapore. The TA exfiltrated the Organisation’s files containing personal data of 34 individuals which comprised its staff and service providers. The types of affected personal data included a combination of names, telephone numbers, email addresses and 2 scanned copies of passports.

Upon discovery of the Incident, the Organisation took prompt remedial actions including:

(a) Immediate containment and system restoration from clean backups;

(b) Deployment of Two-Factor Authentication for remote VPN access;

(c) Enhancement of endpoint and server security;

(d) Enforcement of password protection guidelines; and

(e)Engagement of IT vendors for vulnerability assessment proposals.

The ransomware attack had likely occurred as the Organisation had inadequate security measures including the incomplete deployment of Multi-Factor Authentication for remote VPN access, lack of 24/7 threat monitoring for its endpoints and servers, and the absence of vulnerability assessments and scans prior to the Incident.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 7 November 2025.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Complete roll out Two-Factor Authentication to all staff;

(b) Deploy 24/7 Managed Detection & Response (MDR) for Singapore and Malaysia users, and expand MDR coverage to all geographies where the Organisation operates with equivalent 24/7 monitoring, detection, and response capabilities;

(c) Conduct comprehensive vulnerability assessment covering all network segments, on-premise servers, switches, internet routers and firewalls

(d) Reinforce staff awareness through scheduled cybersecurity training and phishing tests;

(e) Source for vendor to provide a suitable Security Information and Event Management solution to perform 24/7 monitoring of authentication logins and activity logs to provide alerts for suspicious user activities;

(f) Source for software solution(s) to manage privilege and access control, prevent users from running malicious executables, detect suspicious patterns among other related functions; and

(g) Review and enhance network environment set up for data breach detections.

The Commission will verify the Organisation's compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction to ensure the Organisation's compliance with the Undertaking.