Background

Shiseido Asia Pacific Pte Ltd (“SAPAC”), Shiseido Singapore Co. (Pte) Limited (“SS”) and Shiseido Travel Retail Asia Pacific Pte. Ltd (“TRA”), collectively, the “Shiseido Group” (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) on 14 August 2023 of a personal data breach involving a ransomware attack by the Lockbit 3.0 ransomware group that had encrypted their production servers and deleted the data stored on its backup server (the “Incident”).

Investigations revealed that a threat actor (“TA”) had likely gained access to the Organisation’s system using a local administrator account which was used to conduct lateral movements within the system. The first successful entry to the Organisation’s network originated from a ‘test’ account (it was not known why, when or by whom it was created) following a coordinated password-spray attack.

The TA encrypted the Organisation’s files containing the personal data of 2,351 individuals who were the Organisation’s current employees, beauty consultants/promoters and contractors. The types of personal data affected included the name, email address, contact number, passport information, date of birth, bank account information and salary information.

Upon discovery of the Incident, the Organisation took prompt remedial actions including isolating the encrypted production server from its global IT network, disabling VPN access so as to secure its IT network and systems and resetting the privileged accounts and passwords.

The PDPC notes that there was no evidence of exfiltration of personal data.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 28 May 2024.

As part of the Undertaking, Shiseido Group will be implementing the following:

(a) Additional MFA for administrative accounts to servers

(b) Enhance logging and backup strategy of systems including a longer retention period;

(c) Conduct comprehensive penetration testing as a routine to identify gaps;(d)   Enhance firewall configurations and upgrade of firewall firmware;

(e) Installation of anti-virus and anti-malware software in Cloud VMs; and

(f) Implement enforcement of password management and reset of passwords.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.