Undertaking by Asia Petworld Pte Ltd
Background
The Personal Data Protection Commission (the “Commission”) was notified by Asia Petworld Pte. Ltd. (“APPL”) on 8 September 2021 that its systems had been subjected to unauthorized access. The threat actor(s) had deleted APPL’s servers, including its backup servers and backup data, made mass PayPal payments and Airwallex bank transfers from the personal accounts belonging to APPL’s senior management, and potentially accessed employee payroll sheets in an email account belonging to APPL’s senior management.
Personal data of about 21,000 customers was potentially disclosed. The personal data affected included their names, addresses, telephone numbers and email addresses. In addition, the personal data of 60 employees was also affected. The personal data included their names, dates of birth, NRIC number/FIN, bank account numbers and salaries credited. The Commission noted that APPL has since recovered the data via backup, as of 12 July 2021.
It was established that APPL did not have adequate processes in place to protect the personal data in its possession.
Remedial Actions
After the incident, as part of a remediation plan, APPL:
(a) reformatted each PC and desktop in its warehouse and office and installed a clean Windows 10 environment;
(b) reset all Windows passwords and implemented a password length of at least 20 character long with complex requirements. Users were also reminded not to store passwords in plain text. Further, APPL also applied a password on documents containing personal data when transmitted over the internet;
(c) enabled 2FA on all available applications and services;
(d) implemented staff training to enhance knowledge in personal data, safety and cyber security knowledge; and
(e) hardened system access including enhancing access controls, performing regular patching etc.
Undertaking
Having considered the circumstances of the case, including the remedial steps taken by APPL to improve its data protection practices, the Commission accepted an undertaking from APPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2022 (the “Undertaking”).
The Undertaking provided that APPL has to move key applications to another platform for improved security. APPL also had to implement a new web-based system which supports 2FA to ensure a more secure server environment.
APPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that APPL has complied with the terms of the Undertaking.