Background

C. Melchers GmbH & Co. KG Singapore Branch (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 31 July 2024 of a personal data breach stemming from a ransomware attack resulting in data exfiltration (the “Incident”).

Investigations revealed that that the threat actor (“TA”) had likely gained access to the Organisation’s system via a compromised domain administrator account which enabled the TA to conduct lateral movements within the system.

The TA accessed and exfiltrated the Organisation’s files which contained personal data. The personal data of 10,417 employees and customers was potentially at risk. For most of these individuals, the types of personal data affected included a combination of names, addresses, telephone numbers or email addresses. In a select few, the personal data affected included NRIC numbers and/or passport numbers.

Upon discovery of the Incident, the Organisation took prompt remedial actions including, but not limited to, blocking all internet connections on servers, enforcing password changes for all users, introducing strong password complexity requirements and implementing multi-factor authentication (“MFA”) for all accounts.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 20 December 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Review its incident response plan;

(b) Review its security policies and operational procedures, including the handling of data when it is no longer necessary for any business and/or legal purposes and enhancing its password policy;

(c) Train employees on cybersecurity and data protection and raise awareness on best practices and PDPA obligations;

(d) Enforce MFA across all accounts;

(e) Conduct periodic vulnerability assessments and penetration testing for all systems, network and target vectors.

(f) Review and update disaster recovery plans; and

(g) Conduct drills and simulations for employees to ensure preparedness in the event of data breach incidents.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.