Background

On 10 January 2022, Personal Data Protection Commission (the “Commission”) reached out to Focus Adventure Pte. Ltd. (the “Organisation”) after receiving information that databases, containing personal data of individuals associated with the Organisation, were made available for sale on the dark web (the “Incident”). Subsequently, the Organisation lodged a data breach notification on 12 January 2022.

Investigation revealed that the Organisation had suffered a ransomware attack on its company servers on 19 December 2021. The Organisation restored its servers from backups. It was believed that the files in the server were exfiltrated by the threat actor(s) during this period.

As a result of the Incident, the personal data of approximately 923 individuals, including their names, NRIC numbers, date of birth, phone numbers, email addresses and bank account details (for former and current employees) were encrypted and exfiltrated by the threat actor(s).

The Organisation was found to be lacklustre in its cybersecurity and data protection practices, including the usage of end of life (“EOL”) software for its servers and for failing to carry out any periodic security reviews of its unpatched servers.  In addition, there was no proper documentation for password policies, patch management policies or change management policies.

Remedial Actions

After the incident, the Organisation implemented the following:

(a) Changed the password to its servers and firewall; and

(b) Installed endpoint security solutions for all users.

Voluntary Undertaking

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 19 July 2022, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with the terms of the Undertaking.