Background

Commonwealth Capital Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 4 January 2024 of a personal data breach involving the unauthorised exfiltration of personal data (the “Incident”).

Investigation revealed that a threat actor had gained unauthorised access to the Organisation’s servers through Remote Desktop Protocol (“RDP”) brute force of two local administrator accounts. The local administrator accounts were created by the Organisation to allow its vendor to assist in the migration of the Organisation’s on-premise servers to cloud servers.

A malicious actor exfiltrated the personal data of 2,951 individuals who were the Organisation’s and its related companies’ former and current employees, tenants and contractors. For 1,675 individuals, the personal data affected is limited to their name, NRIC/FIN /passport number, address, telephone number, email address, photo, and date of birth/age. For the remaining 1,276 individuals, the affected personal data included their salary and/or bank account details.

Upon discovering the Incident, the Organisation took prompt remedial actions including engaging a vendor to investigate, implement containment and recovery measures, and improved its existing security measures.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 17 April 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Measures to detect and alert the Organisation on unusually large volume of outgoing traffic;

(b) A backup solution for key data stores and servers that is safe from ransomware deployments;

(c) Network segmentation and avoid using flat networks;

(d) Allowing remote access to servers and domain controllers only from a specific network segment for administrators and via secure jump hosts;

(e) Restricting unnecessary lateral movement between servers and endpoints using protocols such as RDP, SMB, PowerShell remoting and SSH;

(f) Upgrading Windows operating systems that have reached End-of-Life support from Microsoft;

(g) Creating and using separate server administrator and desktop administrator accounts; and

(h) Privileged account management to manage local administrator accounts.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.