Undertaking by Protemps Employment Services Pte Ltd

Background

Protemps Employment Services Pte Ltd (the “Organisation”) lodged a data breach notification with the Personal Data Protection Commission (the “Commission”) on 18 October 2021 after it found out that personal data of individuals in the possession or control of the Organisation was available on the dark web (the “Incident”).

Investigations revealed that the Organisation’s website had suffered a ransomware attack on 4 October 2021. The Organisation’s own investigations revealed that its website contained vulnerabilities, which allowed the threat actor(s) to access the website infrastructure and exfiltrate the personal data of the affected individuals.

As a result of the Incident, the personal data of approximately 19,361 individuals, including their names, residential addresses, NRIC images, nationality, date of birth, phone numbers, email addresses and passport number, was exfiltrated by the threat actor(s). The breakdown of each type of personal data affected is as follows:

Personal data affected No. of Individuals affected 
 Name  19,361
 Residential Address  3,608
 Nationality  4,092
 Contact number  987
 Email address  19,360
 Birthday  3,299
 Passort number  3,898
 Race  3,383
 Religion  2,528
 Highest qualification  3,261
 Last Salary  3,258
 CVs  

2541

 

2499 of these CVs contained NRIC numbers and 400 contained the NRIC images

The Commission found the Organisation to be wanting in its cybersecurity and data protection practices. First, the Organisation did not carry out any periodic security reviews with vulnerability scans to test its website vulnerability prior to the Incident. Second, there were deficiencies in vendor management for security maintenance, as data protection and job specifications were not clearly defined. Finally, the Organisation lacked proper documentation for password policies, patch management policies or change management policies.

Remedial Actions

After the incident, the Organisation implemented the following:

(a)  Decommissioned its website; and

(b)  Entered into a new vendor contract with a clear job description and responsibilities expected of the vendor.

 

Voluntary Undertaking

 

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 10 August 2022, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with the terms of the Undertaking.