Background

Malca-Amit Singapore Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 10 August 2024 of a personal data breach stemming from a cyber incident involving the compromise of a limited number of servers in its network (the “Incident”).

Investigations revealed that the threat actor (“TA”) had most likely gained access to the Organisation’s system using a domain user account and thereafter performing network scanning and lateral movement from the SonicWall VPN. The malicious activities targeted the hosts on the VMware virtualization platform.

The TA encrypted some of the Organisation’s files which contained the personal data of 5,834 individuals who were the Organisation’s employees and customers. The types of personal data affected included various combinations of name, address, email address, NRIC number, passport information, photograph, date of birth, bank account information and salary information (which only impacted its employees).

Upon discovery of the Incident, the Organisation took prompt remedial actions including physically disconnected the site network and backbone connectivity, eradicated all known TA activity remnants in the network and ceased data backups and checked the integrity of all systems.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 9 December 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Strengthened Password Policy;

(b) 2FA Enforced on Security Appliances;

(c) 2FA Enforced for Remote Access;

(d) Continuous Backup of Virtualization Environments;

(e) Implementation of SentinelOne XDR for Enhanced Threat Detection and Response;

(f) Scheduled Penetration Testing (PT) to Identify and Mitigate Vulnerabilities;

(g) Replacement of End-of-Life Software to Enhance Security and Operational Efficiency; and

(h) Enhancement of SIEM Services for Proactive Threat Detection and Response.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.