Background

On 11 January 2024, Personal Data Protection Commission (the “Commission”) received a data breach notification from RE&S Enterprises Pte. Ltd. (the “Organisation”) informing that its servers had been encrypted by a ransomware (the “Incident”).

Investigations revealed that a threat actor was able to gain access to an internet connected server which was using an End-of-Life (“EOL”) operating system that was likely to contain vulnerabilities. The threat actor was then able to laterally move into the other servers using compromised user credentials.

As a result of the Incident, the personal data of 12,000 individuals including their names, addresses, NRIC/FIN numbers, telephone numbers, email addresses, salary and bank account details were encrypted and rendered inaccessible.  There was no evidence of any data exfiltration by the threat actor.

The Organisation was found to be lacklustre in its cybersecurity and data protection practices, including the usage of EOL software for its servers and for failing to carry out any periodic security reviews of its unpatched servers.

Upon discovering the incident, the Organisation took prompt remedial actions including decommissioning all servers running on EOL operating systems and putting in place multi-factor authentication for its virtual private network logins.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 3 May 2024.

The Organisation provided a comprehensive remediation plan to the Commission that sought to rectify the gaps identified during our investigations. As part of the Undertaking, the Organisation intends to migrate its HR Solution to a cloud-based system and conduct internal training on data protections for its employees. The Organisation will also be performing annual risk assessments and internal audits to ensure that its implemented measures are effective.

The Commission will be verifying the Organisation’s compliance with its Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.