Background

Hiap Seng Engineering Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 14 June 2024 of a data breach incident where its servers were infected by ransomware which encrypted files that contained personal data (the “Incident”).

Investigations revealed that a threat actor gained access to the Organisation’s network on 11 June 2024 via a firewall VPN device using a local administrator account credential obtained through exploiting vulnerabilities in the VPN device. Passwords were found stored in the VPN device’s configuration file and were encrypted using old encryption methods, which the threat actor was likely able to decrypt.

The Incident affected the personal data of 10,000 individuals that included employees, ex-employees and contractor, most of which were stored and encrypted by the Organisation in an on-premise payroll software. Types of personal data affected included a combination of name, address, NRIC/FIN number, date of birth, photograph, work permit number, bank account details, telephone number and passport number.

Upon discovery of the Incident, the Organisation took prompt remedial actions including an update of all account passwords and firewall rules, implementing geo-blocking to allow VPN connectivity from local IP addresses only, implementing two-factor authentication for all accounts on the network and procuring a new server with up-to-date security features.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 1 October 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Train employees on cybersecurity and data protection and raise awareness on best practices and PDPA obligations;

(b) Implement a software for active directory access management;

(c) Implement network segregation and offsite backups;

(d) Implement a disaster recovery plan; and

(e) Conduct periodic vulnerability assessments and penetration testing for all systems / network / target vectors.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.