Undertaking by Protemps Employment Services Pte Ltd
Background
Protemps Employment Services Pte Ltd (the “Organisation”) lodged a data breach notification with the Personal Data Protection Commission (the “Commission”) on 18 October 2021 after it found out that personal data of individuals in the possession or control of the Organisation was available on the dark web (the “Incident”).
Investigations revealed that the Organisation’s website had suffered a ransomware attack on 4 October 2021. The Organisation’s own investigations revealed that its website contained vulnerabilities, which allowed the threat actor(s) to access the website infrastructure and exfiltrate the personal data of the affected individuals.
As a result of the Incident, the personal data of approximately 19,361 individuals, including their names, residential addresses, NRIC images, nationality, date of birth, phone numbers, email addresses and passport number, was exfiltrated by the threat actor(s). The breakdown of each type of personal data affected is as follows:
Personal data affected | No. of Individuals affected |
Name | 19,361 |
Residential Address | 3,608 |
Nationality | 4,092 |
Contact number | 987 |
Email address | 19,360 |
Birthday | 3,299 |
Passort number | 3,898 |
Race | 3,383 |
Religion | 2,528 |
Highest qualification | 3,261 |
Last Salary | 3,258 |
CVs |
2541 2499 of these CVs contained NRIC numbers and 400 contained the NRIC images |
The Commission found the Organisation to be wanting in its cybersecurity and data protection practices. First, the Organisation did not carry out any periodic security reviews with vulnerability scans to test its website vulnerability prior to the Incident. Second, there were deficiencies in vendor management for security maintenance, as data protection and job specifications were not clearly defined. Finally, the Organisation lacked proper documentation for password policies, patch management policies or change management policies.
Remedial Actions
After the incident, the Organisation implemented the following:
(a) Decommissioned its website; and
(b) Entered into a new vendor contract with a clear job description and responsibilities expected of the vendor.
Voluntary Undertaking
Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 10 August 2022, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.
As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.
The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and is satisfied that the Organisation has complied with the terms of the Undertaking.