Background

Pioneer Electronics AsiaCentre Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 28 June 2024 of a personal data breach where the threat actor (“TA”) deployed ransomware and encrypted files containing personal data on its servers (the “Incident”). Investigations revealed that that the TA had likely gained access by exploiting vulnerabilities and/or inadequate settings in the Organisation’s systems, or through exploiting valid employee credentials obtained via phishing.

The encrypted files contained the personal data of approximately 11,461 individuals who were the Organisation’s employees, landlords, business partners, and customers. 11,229 out of the 11,461 individuals were the Organisation’s customers, and their names, email addresses, and mobile numbers were affected.

Remedial Actions

Upon discovering the Incident, the Organisation took prompt remedial actions, including engaging a vendor to perform forensic investigation and assist in containment and remediation. Measures implemented by the Organisation include:

(a) Improving the security and protection of its networks;

(b) Enhancing its firewall policy and rules;

(c) Reconstructing its Active Directory server;

(d) Evaluating and implementing systems to retain and secure logs;

(e) Scanning all computers for viruses;

(f) Installing endpoint device security on all its computers and servers;

(g) Introducing multi-factor authentication for VPN for all employees;

(h) Requiring all employees to change their passwords; and

(i) Enhancing its password policy.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 20 August 2024.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Additional cloud-based cybersecurity service to improve network protection;

(b) Periodic vulnerability checks;

(c) Aggregate logs for 24-hour monitoring via Managed Detection and Response (MDR);

(d) Additional IT security training for employees with emphasis on phishing, cyberattacks and dealing with personal data; and

(e) Conducting phishing simulation exercises.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.