Background

The Personal Data Protection Commission (the “Commission”) was notified by SH Design & Build Pte Ltd (the “Organisation”) on 7 July 2023 of a ransomware attack by “Faust” on their servers that had encrypted four servers and reformatted four file servers on the company’s Network Access Storage (the “Incident”).

As a result of the Incident, the personal data of 500 individuals, including their names, telephone numbers, addresses, NRIC numbers, passport number, dates of birth and bank account numbers, was affected. The Organisation explained that the affected server had been dormant since March 2021 and the personal data had been retained to resolve claims against the Organisation.

Investigation revealed that the initial access originated from an account named “vpnuser” that succeeded in gaining access to the FortiGate 80F Firewall VPN. This method of initial entry was possible as two-factor authentication (2FA) was not enforced for VPN connections and was accessible from geo-locations outside of normal operations. In addition, the Organisation lacked appropriate network segmentation and firewall rules. The Organisation had weak credential security measures in place, with no password policy implemented.

Upon discovery of the Incident, the Organisation took prompt remedial actions including enforcing 2FA for NAS file server access login and server Remote Desk Protocol (RDP) for remote access. Unused VPN accounts were removed and Endpoint EDR was installed on all end user devices and servers.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 15 December 2023.

As part of the Undertaking, SH Design & Build Pte Ltd will be implementing the following:

(a) Enforce 2FA for NAS file server access login, server Remote Desktop Protocol (RDP) for remote access;

(b) Reset all privileged accounts and restrict access to sensitive system’s management interfaces;

(c) Update latest patches to the firewall and only allow VPN connections from IP addresses geo-located within the Organisation’s normal operations; and

(d) Migrate local server of Domain Controller Active Directory to Azure Microsoft Cloud base service.