Background

Orchid Hotel Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 13 March 2024 of a ransomware attack on its servers (the “Incident”). The personal data, which included the name, NRIC, date of birth, email address, and telephone number, scanned copy of passport and credit card information (last 4 digits) of 680,000 individuals was encrypted

Investigations revealed that the threat actor (“TA”) gained access through the Remote Desktop Protocol and successfully compromised the local and domain administrator accounts. At the time of the Incident, sensitive data, i.e. NRIC, passport and credit card information, was encrypted at rest. The Organisation’s firewall logs did not detect any abnormalities, anomalous outbound traffic or evidence to suggest that data had been exfiltrated.

Upon discovering the Incident, the Organisation took prompt remedial actions. This included engaging a third-party vendor to conduct comprehensive security assessment and data handling practices and also implementing stronger password standards and multi-factor authentication (“MFA”) for all accounts.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 21 August 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Change all IP addresses and passwords for affected servers;

(b) Perform a full reformat and rebuild of impacted systems to ensure a clean and secure environment. All network assets would be assessed, and all remote access credentials changed. A VAPT is scheduled;

(c) Conduct another round of anti-virus scans across all servers and endpoints to identify and remove potential malware. Symantec Endpoint Protection will continue to be deployed on all assets with operating systems;

(d) Upgrade to a cloud-based version with improved data security, scalability, and reliability. Ensure that the fundamental cloud security controls are in place and if necessary, reinforce them with additional measures;

(e) Enforce a stricter password policy requiring strong and unique passwords for all accounts;

(f) Ensure that MFA is consistently implemented for all privileged accounts, enhancing their protection again potential attack vectors;

(g) Engage a qualified security vendor to conduct a vulnerability and hardening assessment;

(h) Ensure that all issues identified during the security assessments are promptly addressed and resolved;

(i) Send key staff for in-depth PDPA training on advance threat identification and data handling best practices;

(j) Conduct regular training sessions for all staff to raise awareness of data security best practices;

(k) Establish regular communication channels to inform all staff about the latest security threats, vulnerabilities, and best practices;

(l) Review its existing service contract with Primosys Asia and include relevant data protection clauses that clearly set out the obligations and responsibilities of both parties to comply with the PDPA;

(m) Develop a “Playbook for Malware Infection” that outlines the importance of maintaining and regularly updating patching practices; and

(n) Review and improved backup strategies and disaster recovery capabilities. Ensure a dependable and tested process for data and critical systems recovery.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.