Background

On 7 July 2023, Personal Data Protection Commission (the “Commission”) received a data breach notification from Wizvision Pte Ltd (the “Organisation”) of a ransomware attack by “Faust” on their servers that encrypted the data files and internal backup data on their file servers with a “.faust” extension and left behind a ransom note (the “Incident”).

As a result of the Incident, the personal data of 795 individuals including their names, phone numbers, addresses, email addresses, NRIC numbers, date of birth, financial information and employment history was affected.

2.9GB of outbound traffic from the Organisation’s network to Mega.nz was detected from firewall logs dated 20 June 2023. However, the source and content of the outbound traffic could not be determined due to the lack of available logs.

Investigation revealed that the threat actor had either gained access through one of the 25 publicly accessible endpoints via brute force attack or exploiting a system vulnerability. The Organisation had poor security configurations for its VPN connections and the Organisation’s use of the default port for its Fortinet SSL-VPN facilitated the threat actor’s activities.

Remedial Actions

Upon discovering the Incident, the Organisation immediately took the following actions:

(a) Changed the default port for VPN and all active directory and admin credentials;

(b) Disabled VPN web mode access and the VPN option to allow client to connect automatically and keep connections alive;

(c) Conducted a full review of the network architecture and enhanced the design of the entire network with proper network segregation and access control;

(d) Replaced hardware firewall with latest patches and implemented strict configuration according to best practices;

(e) Implemented a centralized logging solution to preserve logs and monitor system assets;

(f) Maintained an updated inventory of user accounts and an updated network diagram that describes systems and data flows within the organisation;

(g)  Enabled 2FA for all firewall and VPN accounts, used whitelisting for source IP addresses instead of using “All” in firewall rules, engaged a security vendor to conduct independent security review; and

(h) Encrypted all personal data that have been collected to enhance protection, upgraded to a more comprehensive and robust endpoint protection system and installed necessary management and network tools / software to automate monitoring and detection as much as possible.

Voluntary Undertaking

Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted a voluntary undertaking on 24 November 2023 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (“PDPA”).

The Commission was satisfied with the Undertaking proposed by the Organisation and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation.

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.