Background

On 6 December 2023, the Personal Data Protection Commission (the “Commission”) was notified by Quest Technology Pte Ltd (the “Organisation”) of a ransomware attack on its servers, resulting in its former and current employees’ personal data to be encrypted and subsequently deleted (the “Incident”).

The Incident was first discovered on 4 December 2023 when employees found that their shared drives were all empty, containing only a readme file from the ransomware. Additionally, the backup systems had also failed and were compromised.

As a result of the Incident, the personal data of approximately 75 individuals, including their names, residential addresses, contact number, NRIC number, date of birth, and salary was affected.

The Commission found the Organisation to be wanting in its cybersecurity and data protection practices. First, the Organisation lacked personal data policy and internal guidelines for the employees. Second, there were no documented IT-related policies such as patch management policies and access control policies. Finally, there was a lack of reasonable password policy or management.

Remedial Actions

After the incident, the Organisation implemented the following:

(a) Strengthened passwords to at least 8 characters with a 90-day aging for its Gmail, ERP, domain accounts, and the CCTV account; and

(b) Provided cybersecurity courses to all staff to enhance awareness.

Voluntary Undertaking

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 24 June 2024, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.