Background

On 7 August 2023, Japalang Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack on its servers, which led to the encryption of personal data of its staff and customers (the “Incident”). The Incident was first discovered on 2 August 2023 when employees found that some files were inaccessible.

The Incident led to the potential unauthorised access and encryption of personal data of 70 customers and 30 employees. The types of personal data affected include name, address and contact number. For the affected employees, their NRIC number, passport number, date of birth and salary were affected as well.

Investigations revealed that the Organisation failed to (i) implement adequate personal data protection measures and safeguards; (ii) put in place password and patch management policies; and (iii) appoint a Data Protection Officer.

Remedial Actions

After the Incident, the Organisation took the following remedial actions:

(a) Reformatted all endpoint computers;

(b) Engaged an IT firm to upgrade its Windows operating system and firewall;

(c) Implemented password protection; and

(d) Upgraded its VPN remote connection method to allow only computers with a digital certificate to connect remotely.

Voluntary Undertaking

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 11 March 2024, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, the external service provider will assist the Organisation to first complete an initial set-up within 2 months. The initial set-up will include the appointment and registration of a DPO with the Commission or the Accounting and Corporate Regulatory Authority (“ACRA”), establishing an asset inventory for personal/business data, an IT asset inventory for hardware and software, developing an incident response and data breach management plan and implementing the necessary cybersecurity measures to protect personal data. After the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.