Undertaking by Nippon Express Group
Background
The Personal Data Protection Commission (the “Commission”) received data breach notifications on 25 November 2021 from Nippon Express (South Asia & Oceania) Pte Ltd, Nippon Express (Singapore) Pte Ltd, NEX Global Engineering Pte Ltd (“Nippon Express Group”). Nippon Express Group was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by the Nippon Express (South Asia & Oceania) Pte Ltd (“NESO”) and contained not just the personal data of individuals from NESO, but also the personal data of individuals from Nippon Express (Singapore) Pte Ltd and NEX Global Engineering Pte Ltd.
The personal data of 1,077 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, passport numbers, photographs, date of birth, health information and financial information.
It was established that Nippon Express Group had:
(a) Lack of MFA for administrative and remote access to all systems; and
(b) Inadequate security reviews to identify vulnerabilites within its infrastructure.
Remedial Actions
After the incident, as part of a remediation plan, Nippon Express Group had:
(a) Implemented MFA for all administrative and remote access;
(b) Reviewed Active Directory accounts;
(c) Performed an external and internal vulnerability assessment;
(d) Ensured all software and operating systems updated with patches;
(e) Ensured the usage of strong passwords;
(f) Implemented enterprise-grade anti-virus software;
(g) Implemented 3-2-1 backup rule; and
(h) Remove remote access tools.
Undertaking
Having considered the circumstances of the case, including the remedial steps taken by Nippon Express Group to improve its personal data protection practices, the Commission accepted an undertaking from Nippon Express Group to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 July 2022 (the “Undertaking”).
Nippon Express Group has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that Nippon Express Group has complied with the terms of the Undertaking.