Background

On 13 October 2023, Personal Data Protection Commission (the “Commission”) received a data breach notification from Coca-Cola Singapore Beverages Pte Ltd (the “Organisation”) of a ransomware attack by the Lockbit 3.0 ransomware group that had encrypted their systems and deleted the data stored on its backup server (the “Incident”).

As a result of the Incident, the personal data of 5,937 individuals including their names, phone numbers, addresses, email addresses, bank account number and employee identification number was affected.

The Organisation confirmed that 145.43GB of data on one of the servers had been exfiltrated and the server had contained personal data. Investigation revealed that the root cause of the Incident was an unauthorised single-factor authentication to the Organisation’s Citrix environment. The Organisation had not implemented multi-factor authentication (“MFA”) for remote users.

Upon discovery of the Incident, the Organisation took prompt remedial actions including disabling the administrative and user accounts affected in the Incident, shutting down the Citrix environment, blocking all identified network-based indicators of compromise associated with the Incident and patching the Fortinet software with the latest security patches.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 22 April 2024.

As part of the Undertaking, Coca-Cola Singapore Beverages Pte Ltd will do the following:

(a) Implement a password reset and increase the password length and complexity for end and privileged users;

(b) Reduce the footprint of external-facing systems by shutting down the Citrix environment;

(c) Restrict access into company systems by non-company devices;

(d) Implement enhanced endpoint protection and MFA for remote users;

(e) Enhance monitoring of servers by the Security Operations Centre (SOC);

(f) Improve asset management and mandate a review of backup and disaster recovery processes; and

(g) Enhance off-boarding process and implement data minimisation for sensitive personal data.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.