_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,58,58,1,952,"A financial penalty of $7,000 was imposed on Larsen & Toubro Infotech for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of job applicants, and for disclosing the personal data of job applicants without their consent.","[""Protection"", ""Consent"", ""Financial Penalty"", ""Information and Communications"", ""Protection"", ""Consent"", ""Sample forms"", ""Email"", ""Recruitment""]",2021-06-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Larsen--Toubro-Infotech-Limited-Singapore-Branch-06052021.pdf,"Protection, Consent",Breach of the Protection and Consent Obligation by Larsen & Toubro Infotech,https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-consent-obligation-by-larsen-toubro-infotech,2021-06-10,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7464 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Larsen & Toubro Infotech Limited, Singapore Branch SUMMARY OF THE DECISION 1. On 29 November 2020, the Personal Data Protection Commission (the “Commission”) received a complaint against Larsen & Toubro Infotech Limited, Singapore Branch (“LTI”) from an LTI job applicant. 2. On 25 November 2020, an LTI employee had emailed the complainant a set of sample forms which contained the personal data of a past job applicant. The LTI employee had sent the complainant those sample forms to assist him in filling up his own forms correctly. 3. Subsequently, on 3 December 2020, another LTI employee sent an email reminder to the complainant and 53 other job applicants to complete their application process. The email contained all of the job applicants’ respective names, with their email addresses placed in the “To” field and thus visible to all recipients. 4. Once notified of the complaint by the Commission, LTI undertook a review of its employees’ emails for the period from 2016 to 2020, and uncovered 73 other instances where past job applicants’ personal data had been disclosed to other job applicants. 5. In total, 13 past job applicants’ forms were disclosed by 10 of LTI’s employees to 74 other job applicants. The personal data disclosed in the forms comprised: a. Name; b. Signature; c. Email address; d. National Identification/ passport numbers; e. Date of Birth; f. Address; g. Contact number; h. Medical health status; i. Employment history; j. Salary information; and k. Criminal records disclosure. 6. The Deputy Commissioner for Personal Data Protection finds that LTI negligently contravened the Protection Obligation under section 24 of the Personal Data Protection Act 2012 by failing to provide adequate instructions to its employees dealing with recruitment matters on how to handle personal data. LTI also negligently contravened the Consent Obligation under section 13 of the Personal Data Protection Act 2012, by disclosing the names and email addresses of all job applicants in its email sent to the 54 job applicants on 3 December 2020, including the complainant. 7. While LTI claimed to have a general Corporate Privacy Policy and an Employee Privacy Notice which applied to all employees, the purpose of these documents was to provide notice to individuals and employees on how LTI used, processed, and protected personal data. Guidance to employees on how they should handle personal data in the course of work could only be found in LTI’s “Data Privacy Awareness” training materials. LTI had no targeted policies or standard operating procedures specifically for the employees handling recruitment matters, despite the type and volume of personal data handled by such employees. The fact that as many as 10 of LTI’s employees had engaged in the same conduct over a 4 year period, reinforced the finding that the existing instructions were inadequate. 8. LTI indicated that it would make all its employees aware of this incident, and that it would implement a new set of procedures for email communications to external job applicants. LTI notified all affected job applicants of the wrongful disclosure of their personal data to other job applicants, and informed the job applicants to delete the emails they had received containing the affected job applicants’ forms. Refresher training was also conducted for the employees who had sent the emails. 9. After considering the circumstances of the case and the factors listed at section 48J(6) of the Personal Data Protection Act 2012, including LTI’s cooperation with investigations, its proactive review to identify additional historical breaches, and its prompt remedial actions, the Deputy Commissioner for Personal Data Protection requires that LTI pay a financial penalty of $7,000 for the breach. 10. LTI must make payment of the financial penalty within 30 days from the date of this decision, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until it is paid in full. 11. No further directions are required as LTI had taken actions to address the gaps in its security arrangements. ",Financial Penalty,bd9f440070a5521214d61291f17b40de724a111a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,59,59,1,952,"A financial penalty of $25,000 was imposed on Webcada for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Information and Communications"", ""Ransomware"", ""IPMI"", ""Database servers"", ""No Written Policy""]",2021-06-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Webcada-Pte-Ltd-06052021.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligation by Webcada,https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-accountability-obligation-by-webcada,2021-06-10,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B6931 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Webcada Pte Ltd SUMMARY OF THE DECISION 1. On 4 September 2020, Webcada Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that three of its database servers had been subjected to a ransomware attack on 29 August 2020 (the “Incident”). 2. The personal data of 522,722 individuals were affected in the Incident. The datasets affected comprised of the individuals’ names, phone numbers, dates of birth, addresses and order histories. 3. Following the Incident, the Organisation engaged an independent third-party consultant to investigate, review and assist in the implementation of additional data protection measures. 4. Investigations revealed that the ransomware had been uploaded onto the affected servers via the Intelligent Platform Management Interface (""IPMI""). The IPMI is a set of computer interface specifications used for remote monitoring and management of servers. There was no evidence of data exfiltration, and all affected data was restored from available back-ups. 5. The Organisation took the following remedial measures after the Incident: (a) IPMI was permanently disabled for all servers; (b) The public IP address of all servers was removed and all remote management access to the servers was configured to allow only trusted IP addresses; (c) End-point protection software with threat hunting capabilities was installed on all servers and computers within the Organisation; and (d) A written data protection policy was developed and implemented to comply with the provisions of the Personal Data Protection Act 2012 (the ""PDPA""). 6. In its representations to the PDPC, the Organisation admitted to having breached the Accountability Obligation under section 12 and the Protection Obligation under section 24 of the PDPA, and requested for the matter to be dealt with in accordance with the PDPC’s Expedited Decision Procedure. Section 12 of the PDPA 7. First, the Organisation admitted it did not have a written data protection policy prior to the Incident. In this regard, it is important to reiterate that an organisation must document its data protection policies and practices in writing as they serve to increase awareness and ensure accountability of the organisation's obligations under the PDPA. This requirement has been emphasized multiple times in previous decisions1. Section 24 of the PDPA 8. Second, the Organisation admitted that it did not configure its IPMI access settings correctly prior to the Incident. It enabled access to the IPMI from the public Internet when this was not necessary. Furthermore, in the monthly vulnerability scans carried out by the Organisation, it had omitted to scan the IPMI. Hence, it was not able to detect vulnerabilities in its IPMI, which were exploited to gain access to and upload the ransomware on the servers. 9. In the circumstances, the Organisation is found to have breached sections 12 and 24 of the PDPA. 10. After considering the factors listed at section 48J(6) of the PDPA and the circumstances of this case, including (i) the Organisation's upfront voluntary admission of liability which significantly reduced the time and resources required for investigations; and (ii) the Organisation's prompt remedial actions, the Organisation is given notice to pay a financial penalty of $25,000. 1 See Re Aviva Ltd [2017] SGPDC 14 at [32]; Re Singapore Taekwondo Federation [2018] SGPDC 17 at [39] to [42]; Re AgcDesign Pte Ltd [2019] SGPDC 23 at [4] to [5]; Re (1)Everlast Projects Pte Ltd (2)Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd [2020] SGPDC 20 at [8] to [9] 11. The Organisation must make payment of the financial penalty within 30 days from the date of the notice accompanying this decision, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 12. In view of the remedial actions taken by the Organisation, the Commission will not issue any directions under section 48I of the PDPA. ",Financial Penalty,a8330d4666d7631b3e448330fd698843754474f4,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,60,60,1,952,"A financial penalty of $35,000 was imposed on HMI Institute for failing to put in place reasonable security arrangements to protect personal data stored in its server. This resulted in the data being subjected to a ransomware attack.","[""Protection"", ""Financial Penalty"", ""Education"", ""Ransomware"", ""Third Party Vendor"", ""Scope of Duties"", ""Open RDP Port"", ""Remote Desktop Protocol""]",2021-06-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HMI-Institute-of-Health-Sciences---20052021.pdf,Protection,Breach of the Protection Obligation by HMI Institute of Health Sciences,https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-hmi-institute-of-health-sciences,2021-06-10,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 4 Cases No DP-1912-B5434 / DP-1912-B5564 / DP-1912-B5558 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And HMI Institute of Health Sciences Pte. Ltd. … Organisation DECISION HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4 Lew Chuen Hong, Commissioner — Cases No. DP-1912-B5434 / DP-1912-B5564 / DP-1912-B5558 20 May 2021 Introduction 1 On 4 December 2019, a file server (the “Server”) belonging to HMI Institute of Health Sciences Pte. Ltd. (the “Organisation”) was affected by a ransomware attack. The ransomware encrypted and denied access to various files on the Server, including files containing personal data of the Organisation’s staff and trainees (the “Incident”). 2 On 7 December 2019, the Organisation informed the Personal Data Protection Commission (“Commission”) of the Incident. The Commission subsequently received two separate complaints about the Incident. Background 3 The Organisation is a dedicated private provider of healthcare training to individuals (“Participants”) in Singapore. In the course of carrying out its business activities, the Organisation collects personal data from, among others, (i) its employees, including temporary and contract staff such as associate trainers, (“Employees”) for the purposes of managing or terminating such employment relationships, and (ii) the Participants, for the purposes of registration and the administration of their enrolment in the Organisation’s training courses. 4 The Server affected by ransomware was set up in 2014 and was located in Singapore. It was owned by the Organisation but maintained by the Organisation’s appointed IT solution service provider (the “Vendor”). The Server stored personal data in Microsoft Word or Excel files, most but not all of which were password-protected. 5 The Server was protected by a firewall that blocked all connections to the Server, except for those through port 3389, a standard port which was used for the Remote Desktop Protocol (“RDP Port”). The RDP Port was used by the Vendor for 1 remote management and/or troubleshooting purposes. According to the Organisation, the RDP Port was kept open from sometime in 2014 up to the date of the Incident on 4 December 2019 (i.e. for more than four (4) years) to allow the Vendor quick and easy access. The significance of the RDP Port being kept open will be elaborated on below. 6 The Server only had one administrator account which was shared by the Organisation’s IT administrator and at least three other employees of the Vendor. By use of this administrator account, the Vendor could access the Server remotely through the RDP Port and view, change, or delete all the data in the Server. 7 On 4 December 2019, an employee of the Organisation was unable to access files on the Server containing the personal data of some Participants. An initial diagnostic conducted by the Vendor revealed that the Server had been affected by ransomware. File extensions of the files on the Server had been changed and a ransom note was found on the Server. 8 On 5 December 2019, the Organisation engaged a cybersecurity expert company (“CSE”) to conduct a thorough assessment of the Incident. The CSE found that: (a) the attacker had likely discovered the open RDP Port following a random, opportunistic search for vulnerabilities; and; (b) having discovered the open RDP Port, it was likely that the attacker used brute force attacks to obtain the administrator account password for the Server in order to gain access to the Server and execute the ransomware. 9 In total, the personal data of approximately 110,080 Participants, and 253 Employees were affected by the Incident (the “Affected Personal Data”). 10 For the affected Participants, the following categories of personal data were affected: (a) Name; 2 11 (b) NRIC number; (c) Address; (d) Race; (e) Gender; (f) Date of Birth; (g) Age; (h) Email address; (i) Contact number; (j) Course details; (k) Nationality; and (l) Employer details and past employment history. For the affected Employees, the following categories of personal data were affected: (a) Name; (b) NRIC number; (c) Date of Birth; (d) Nationality; (e) Citizenship; (f) Age; (g) Contact number; (h) Vehicle licence plate; and 3 (i) Financial Information (including salary/payment information, Central Provident Fund (“CPF”) information, and bank account numbers. 12 Not all of the above categories of personal data were affected in every individual’s case. For instance, the bulk of the affected Participants (approximately 98,000) only had their names and NRIC numbers stored on the Server. 13 The CSE’s investigation found no evidence of any exfiltration of the Affected Personal Data from the Server. The Organisation also managed to retrieve all the Affected Personal Data as most of the affected files were back-up files. 14 Upon being made aware of the Incident, the Organisation took prompt remedial actions. The Organisation: (a) Decommissioned the Server (without paying the ransom), and isolated the Server from its network and the Internet; (b) Notified the Commission, SingCERT, and all the affected Employees and Participants that it was able to (approximately 95%) of the Incident; and (c) 15 Issued a media advisory on the Incident. The Organisation also carried out actions to prevent a recurrence of the Incident. It: (a) Adopted its own internal password management policy; (b) Permanently disconnected and blocked remote access for IT support procedures; (c) Implemented Internet separation measures for all devices containing personal data; (d) Introduced various endpoint enhancements and gateway security measures including a monitoring system for all Internet-facing traffic, a suite of antivirus and malware protection for all computers and enhancing email hosting security protection and hard disk encryption; 4 (e) Engaged external IT security consultants to establish an Information Security Management Framework based on the ISO 27001 certification; (f) Conducted cybersecurity training sessions and cybersecurity awareness workshops for its staff; (g) Conducted ad-hoc email phishing tests to augment the cybersecurity training sessions and to engender greater awareness and vigilance towards suspicious emails; and (h) Put in place a monthly IT bulletin post to all employees to keep all staff up to date on IT and cybersecurity issues. Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 16 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (“Protection Obligation”). 17 As a preliminary point, even though the Organisation had engaged the Vendor to maintain the Server and the Organisation’s other IT infrastructure, the scope of the Vendor’s engagement did not involve the processing or handling of any personal data on behalf of the Organisation. The Organisation owned the Server and was in possession and control of the Affected Personal Data at all material times. The Vendor was therefore not a data intermediary and the responsibility to protect the Affected Personal Data fell squarely on the Organisation. 18 For the reasons set out below, the Organisation failed to implement reasonable security arrangements to protect the Affected Personal Data from the risk of authorised access, modification and disposal. 5 Failure to adequately regulate remote access to the Server 19 First, the Organisation did not have sufficiently robust processes to ensure safe remote access to the Server via the RDP Port. The Remote Desktop Protocol (i.e., RDP) is a proprietary protocol developed by Microsoft Corporation for use in its Remote Desktop Connection application, which allows for remote connections to be established from one computer (i.e., a server) to another computer (i.e., the client) allowing the client to remotely control the server. By default, the server uses port number 3389 (i.e., the RDP Port) for incoming connections and requires authentication in the form of a username and password, before access to the server is granted. While the RDP Port is intended to be used for legitimate RDP client-server connections, its existence is well known and thus susceptible to be exploited by malicious actors to gain unauthorised access to a server if there are weak protective measures in place (e.g. weak user authentication). 20 While there is no strict requirement that the RDP Port must always be closed, organisations should regularly review and assess the potential risks of keeping such public facing ports open. Where it is necessary to keep the RDP Port on a server open, organisations should ensure that there are sufficient measures in place to protect the personal data stored on the server. 21 That said, where an organisation holds a high volume of personal data and/or highly sensitive personal data, the Commission is of the view that the default approach should be to close all ports, including RDP Ports. Where it is necessary to open the RDP Port, organisations must ensure that there are sufficient measures in place to ensure the security and legitimacy of any incoming RDP connection, and to promptly close the RDP Port upon completion of the required use. Additional measures to secure the files, for example, access control to folders and file encryption, may also be deployed. These are different layers of defences that can be used cumulatively or in different combination, depending on the volume and sensitivity of personal data and the requirements of business operations. 22 In this case, the Organisation kept the RDP Port open from the time the Server was set up in 2014 until the occurrence of the Incident on 4 December 2019. According 6 to the Organisation, the RDP Port was kept open to allow the Vendor quick remote access to the Server for recovery and maintenance works. The Organisation claimed that keeping the RDP Port permanently closed was not practicable, as half a day of down time would be required whenever the RDP Port needed to be opened or closed. 23 Given the fact that a minority of records (i.e. 253 Employees) contained more sensitive financial information and bank account numbers, as well as the volume of personal data stored on the Server, it is questionable whether the RDP Port should have been kept open permanently for recovery or maintenance work. Even if this meant incurring some down time in activating and deactivating the firewall for the RDP Port, the inconvenience associated with this down time should have been measured against the risk to the type and volume of personal data that was stored on the Server. Nonetheless, the benefit of doubt is given to the Organisation as the majority of records were personal particulars and contact information. 24 Even if it was necessary for the RDP Port to be kept open, the Organisation should at least have put in place other types of technical measures to secure the RDP access, such as: (a) Using a different port (other than the default port 3389) for RDP connections; (b) Restricting access to specific IP addresses or IP addresses within specified ranges, i.e. “whitelisting”; (c) using a RDP gateway; and/or (d) Conducting log reviews for unusual activity, whether upon automated alerts or scheduled monitoring. 25 The risks arising from poor management of RDP Ports have also been highlighted in the Cyber Security Agency of Singapore’s (“CSA”) recent advisory dated 28 December 2020, titled “Protect Your Systems and Data From Ransomware Attacks” 1 . The CSA similarly cautioned that some ransomware variants take 1 https://www.csa.gov.sg/singcert/advisories/ad-2020-006 7 advantage of exposed services and open ports such as the RDP Port to spread across a network. As such, in order to minimise the chance of a ransomware attack, the CSA emphasised that organisations should review their port settings, particularly, to assess whether there was a need to leave the RDP Port exposed, and if so, to restrict RDP connections to only trusted hosts. 26 The Organisation represented to the Commission that it would have been impractical to whitelist specific IP addresses as connections to the Server were generally made through dynamic, instead of static, IP addresses. Even so, the onus remained on the Organisation to put in place alternative security measures that were commensurate with the standard of protection required to protect sensitive data stored on the Server. However, the Organisation failed to implement any such alternative security measures. 27 The Organisation’s inaction on this front placed the Server at risk for more than four years - from the time the Server was set up in 2014 until it was disconnected from the Internet after the Incident. Failure to implement proper password management 28 Second, the Organisation failed to implement proper password management policies. The Organisation had adopted and generally directed its staff to follow the password policy of one of its affiliates (the “Password Policy”). The guidelines and standards in the Password Policy are consistent with the Commission’s recommendations in its Guide to Securing Personal Data in Electronic Medium2, which recommends that passwords used for authentication have a length of at least 8 characters, containing at least one alphabetical character and one numeric character. 29 However, the Organisation failed to take steps to ensure that the Password Policy was compiled with in practice. None of the passwords used by the Organisation for the administrator account of the Server or the files containing the Affected Personal Data (including those containing financial information) met the Password Policy’s recommended complexity rules. The passwords used by the Organisation also 2 https://www.pdpc.gov.sg/help-and-resources/2017/10/guide-to-securing-personal-data-in-electronic-medium 8 incorporated an acronym of the organisation’s name, which made them easy to guess and vulnerable to brute force attacks. 30 As noted in Re Chizzle Pte Ltd [2020] SGPDPCR 1 at [5(d)]: “In this regard, various articles/guides have stated that the use of an organisation’s name as a component of the password is not recommended because it is not difficult to guess and cracked by hackers. The digits “2018” as a component of the password was also guessable, for example, through brute force or dictionary attacks. As such, the password used by the Organisation failed to prevent unauthorised copying and deletion of the Chizzle Database.” [Emphasis added] 31 The login credentials for the administrator account on the Server were also shared between one administrator in the Organisation and at least three other individuals in the Vendor. Other than the login credentials, there were no other access controls to the administrator account (e.g. 2FA or anti-hammering features). As previously stated in Re Orchard Turn Developments Pte Ltd [2017] SGPDPC 12 (at [31]) user accounts should generally not be shared between different individuals, and all the more so for administrator accounts: “Additionally, there should not be a sharing of credentials amongst users. When credentials are shared among multiple users, it is difficult to ensure accountability as it is difficult to track the activity of each individual using the common set of credentials.” [Emphasis added] 32 Although the sharing of the administrator account credentials was not a direct contributing factor to the Incident, the sharing of account credentials – in particular, administrator accounts with high privileges – created an additional risk factor which could have diminished the robustness of other security measures put in place by the Organisation. 9 33 Similarly, while strong passwords may only slow but not entirely deter threat actors, the absence of strong passwords could greatly facilitate unauthorised access to IT systems, including IT systems holding personal data. Failure to take reasonable steps to ensure that the Vendor would protect personal data 34 Thirdly, while the Organisation claims to have relied on the Vendor’s technical expertise with regard to the security of the Server, the Organisation did not take reasonable or sufficient steps to stipulate clear requirements of its Vendor to ensure that the Vendor understood its role in the protection of the personal data in the Server. 35 As mentioned in the Commission’s Guide to Managing Data Intermediaries3: “The primary means by which a DC (i.e. a Data Controller) may ensure appropriate protection and retention of the personal data processed by its DI (i.e. a Data Intermediary) is through a contract. As the range of data processing activities that can potentially be outsourced is very broad, it is necessary for the scope of outsourced data processing activities to be clearly defined and agreed upon. There should be clear communication between the DC and the DI on the scope of outsourced data processing activities and the personal data requirements. For the DC, this is crucial in ensuring that its business requirements and management decisions in relation to the outsourcing are made clear to the DI.” 36 The Vendor in this case was not a Data Intermediary. However, the Vendor was nevertheless expected to handle personal data in the course of its work or make decisions which affected the security of personal data stored in the Server 4. As such, in order for the Organisation to say that it had discharged its Protection Obligation by relying on the Vendor’s technical expertise, clear business requirements on the protection of the data in the Server should have been specified. Alternatively, the Vendor could have made recommendations on the data protection requirements based on its understanding of the engagement (including for protection of the data in the Server), which the Organisation could have approved and adopted. In either case, 3 4 https://www.pdpc.gov.sg/Help-and-Resources/2020/09/Guide-to-Managing-Data-Intermediaries See Civil Service Club [2020] SGPDPC 15 at [13] and [14] 10 reasonable efforts should have been taken by the Organisation to verify that the Vendor was meeting its data protection requirements. 37 The exact requirements for a given case would depend on the services that a vendor is engaged to provide. If a vendor is engaged to put in place protection features for a Data Controller’s IT systems, the business requirements should describe the risks that the vendor is to address. In this case, the Organisation’s contract with the Vendor did not specify any business requirements for the protection of personal data in the Server. Neither could the Organisation provide any evidence to suggest that the Vendor made any recommendations about how to protect the data in the Server. As such, the Organisation could not say that it had discharged its Protection Obligation by relying on the expertise of the Vendor. 38 In the circumstances, the Commissioner finds that the Organisation failed to make reasonable security arrangements to protect the personal data in the Server from the risk of unauthorised access, modification and disposal. Accordingly, the Commissioner finds the Organisation in breach of its obligation under section 24 of the PDPA. The Commissioner’s Directions 39 In determining whether any directions should be imposed on the Organisation under section 48I of the PDPA, and/or whether the Organisation should be required to pay a financial penalty under section 48J of the PDPA, the factors listed at section 48J(6) of the PDPA and the following aggravating and mitigating factors were taken into account: Aggravating Factor (a) the Organisation’s failure to put in place reasonable security measures put the personal data in the Organisation’s possession and/or control at risk of exposure for more than four years. The failure to protect led to the unauthorised access and modification of the personal data in the Incident; 11 Mitigating Factors (b) the Organisation took prompt remedial actions following the Incident; and (c) 40 the Organisation was cooperative during the investigations. Having considered all the relevant factors of this case, including representations made by the Organisation on 1 April 2021 after being notified of the Commissioner’s Preliminary Decision, the Commissioner hereby directs the Organisation to pay a financial penalty of $35,000 within 30 days from the date of the relevant notice, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 41 In view of the remedial actions that have already been taken by the Organisation, no other directions are necessary. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 12 ",Financial Penalty,65d2d1e1ed47bb4f1dba6c7af5b321b1ae19c7c3,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,61,61,1,952,"A financial penalty of $8,000 was imposed on ST Logistics for failing to put in place reasonable security arrangements to prevent the unauthorised access of 2,400 MINDEF and SAF personnel's personal data.","[""Protection"", ""Financial Penalty"", ""Transport and Storage"", ""Phishing"", ""Malware""]",2021-06-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---ST-Logistics-Pte-Ltd---26102020.pdf,Protection,Breach of the Protection Obligation by ST Logistics,https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-st-logistics,2021-06-10,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 19 Case Nos. DP-1912-B5514 and DP-1912-B5559 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ST Logistics Pte Ltd … Organisation DECISION ST Logistics Pte Ltd [2020] SGPDPC 19 Lew Chuen Hong, Commissioner — Case Nos. DP-1912-B5514 and DP1912-B5559 26 October 2020 Introduction 1 Phishing attacks are increasingly prevalent and are one of the top cybersecurity threats faced by organisations1. In its latest report, the Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore last year, almost triple the number of cases in 20182. This case is yet another example of an organisation falling victim to phishing. 2 On 16 December 2019, ST Logistics Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the Organisation had detected an Emoted malware (“Emotet”) in their network which had infected 6 of its users’ laptops (including 4 laptops containing personal data), potentially affecting up to 4,000 individuals in the Ministry of 1 Phishing is a method employed by cyber criminals, often disguising themselves as legitimate individuals or reputable organisations, to fraudulently obtain personal data and other sensitive or confidential information. Once cyber criminals obtain an individual’s personal data, they may gain access to the individual’s online accounts and may impersonate the individual to scam persons known to the individual. See Cyber Security Agency of Singapore, Cyber Tip – Spot Signs of Phishing (25 February 2020) https://www.csa.gov.sg/gosafeonline/go-safe-forme/homeinternetusers/spot-signs-of-phishing. 2 See “Phishing attacks last year tripled from 2018”, The Straits Times, 27 June 2020. ST Logistics Pte Ltd [2020] SGPDPC 19 Defence (“MINDEF”) and Singapore Armed Forces (“SAF”) (the “Incident”). Subsequently, on 23 December 2019, the Commission received a complaint from an individual affected by the Incident. Facts of the Case 3 The Organisation provides logistical services to Singapore’s government and defence sectors, as well as commercial sectors. It has more than 800 employees worldwide and an annual revenue of approximately S$350 million3. 4 On 2 October 2019, the Organisation’s users received phishing emails from email addresses with the text “Stlogs” in the sender name field (e.g. “Account Executive (Stlogs)” and “Assistant General Manager (Stlogs)”). Each email contained an attachment with the file extension “doc”. A total of 13 users from the Organisation opened the malicious attachment (the “Affected Users”). 7 Affected Users had the Palo Alto Traps software (“Traps Software”), an advanced endpoint protection solution, installed in their laptops and were therefore protected from Emotet. The remaining 6 Affected Users (“Infected Users”) did not have Traps Software installed in their laptops. This resulted in the Incident with Emotet being installed and executed on the laptops of the Infected Users. Emotet subsequently harvested the emails in the Infected Users’ accounts, created approximately 100 new phishing emails, and sent these new phishing emails on 3 October 2019. Those new phishing emails quoted the bodies of real emails in the email accounts of the Infected Users. 5 Unencrypted files containing personal data were stored in 4 of the Infected Users’ laptops. The files were offline working copy files used in relation to the logistics services provided by the Organisation to the MINDEF 3 . 2 ST Logistics Pte Ltd [2020] SGPDPC 19 and SAF. The working files contained personal data relating to a total of 2,400 MINDEF and SAF personnel (“Affected Individuals”). The types of personal data of the Affected Individuals at risk of unauthorised access (collectively, the “Disclosed Data”) were: (a) Names; (b) Mailing addresses; (c) Email addresses; (d) Telephone numbers; and (e) NRIC numbers (1,320 full NRIC numbers and 1,080 masked (last 3 digits and checksum) NRIC numbers). 6 Based on the Organisation’s investigations (including anti-virus scans performed following the Incident), the infection by Emotet was limited to the laptops of the Infected Users. At the time of the Incident, the Organisation’s proxy logs captured information which showed that some exfiltration had taken place. However, there was insufficient information in the proxy logs to confirm that the exfiltration included files containing the Disclosed Data. 7 Upon discovery of the Incident, the following remedial actions were taken to mitigate the effects of the Incident: (a) The Organisation immediately disconnected the Infected Users laptops from the Organisation’s corporate network; (b) Security advisories (including guidelines on how to identify phishing emails) were sent to all the Organisation’s users to inform them of the Incident and to be vigilant; and 3 ST Logistics Pte Ltd (c) [2020] SGPDPC 19 All Affected Individuals were notified by MINDEF through text messages by 27 December 2019. 8 In addition, the following remedial actions have been taken, or are committed to be taken, by the Organisation to prevent recurrence of the Incident or similar incidents. (a) The Organisation conducted a “PDPA awareness” programme in February 2020 for its staff. “PDPA awareness” training materials were made available to all staff on the Organisation’s intranet. Selected users also attended the PDPA training offered by NTUC Learning Hub in February 2020; (b) Malicious email domains were identified. Enhanced firewall protection was implemented to inspect traffic to the Organisation’s email gateway. Email rules were created to block similar phishing emails from reaching the Organisation’s users; (c) The Organisation performed a company-wide validation exercise to ensure that Traps Software was installed on the laptops of all its users; (d) The Organisation conducted a Sender Policy Framework verification to reduce the number of spam and phishing emails reaching its users; (e) The Organisation implemented the display of warning banners for emails that do not originate from the Organisation’s email server; (f) The Organisation will increase the frequency of sending “Cybersecurity Advisory & Personal Data Protection Awareness” notices to all users; 4 ST Logistics Pte Ltd (g) [2020] SGPDPC 19 The Organisation implemented internet separation via URL filtering and has been exploring a sandbox feature and URL checking for all emails; (h) Periodic phishing exercises will be conducted as part of the Organisation’s Cybersecurity Awareness Program; and (i) Independent security experts will be engaged to perform compromise assessment to validate the security status of the Organisation’s systems environment in the third quarter of 2020. The Commissioner’s Findings and Basis for Determination 9 Most phishing attacks are sent by email,4 and the most common form is the general, mass-mailed type, where the cyber attacker sends an email pretending to be someone else and tries to trick the email recipient to log into a website or download malware.5 Based on the Commission’s past investigations, there are generally 2 scenarios when a data breach involves phishing attacks on e-mail accounts: (a) First, where malware harvests email addresses from the victim’s email address book to send further phishing emails to contacts of the victim. In this scenario, the only personal data that are accessed and used by the malicious actor are email addresses; and 4 https://www.cisco.com/c/en_sg/products/security/email-security/what-is-phishing.html; See also National Cyber Security Centre (United Kingdom), Phishing attacks: defending your organisation (version 1.1, 8 August 2019) https://www.ncsc.gov.uk/guidance/phishing: Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email. 5 https://www.csoonline.com/article/3234716/types-of-phishing-attacks-and-how-to-identify- them.html 5 ST Logistics Pte Ltd (b) [2020] SGPDPC 19 Second, where the content of the victim’s email account is compromised, and emails are downloaded and/or forwarded by malicious actors. In this scenario, there may be personal data within the body of the email message (e.g. customer information, employee human resource data, payroll information etc.) as part of its communication content. Some of these may be confidential or commercially sensitive information. 10 The first type of email phishing attack at [9(a)] is more common, and the risk of harm is relatively low as the unauthorised access and use is limited to email addresses. Conversely, while the second type of email phishing attack at [9(b)] is less common, the risk of harm is significantly greater. This is because in addition to email addresses, communication content exposed to unauthorised access and use may contain other type(s) of personal data (including those of a sensitive nature, e.g. medical and financial data). Consequentially, a breach of data protection obligations resulting in the organisation falling victim to the second type of email phishing attack generally results in more serious consequences. 11 The present case falls into the first type of email phishing attack, and the issue for determination is whether the Organisation had complied with its obligations under Section 24 of the Personal Data Protection Act 2012 (the “PDPA”). Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). 12 As a preliminary point, it is not disputed that the Organisation was in possession and control of the Disclosed Data at all material times, and was obliged to put in place reasonable security arrangements to protect the Disclosed Data. 6 ST Logistics Pte Ltd 13 [2020] SGPDPC 19 The Commission’s investigations revealed that the Organisation failed to conduct periodic security reviews to detect vulnerabilities in its IT systems. (a) As stated in the Commission’s previous decisions, organisations are expected to conduct periodic security reviews of its IT systems.6 Conducting regular information and communication technology (“ICT”) security audits, scans and tests to detect vulnerabilities help organisations to ensure that ICT security controls developed and configured for the protection of personal data are properly implemented7. The comprehensiveness of such security reviews should be scoped based on the organisation’s assessment of its data protection needs, and be conducted to a reasonable standard; (b) In the present case, a reasonably conducted security review should have included (i) verifying complete installation and proper configuration of the security software on all of the Organisation’s users’ laptops; and (ii) checking that the security software is updated; (c) The Organisation’s failure to conduct a security review to a reasonable standard resulted in the following undetected security gaps that led to the Incident8: (i) The anti-virus software installed on users’ laptops was not updated because they had not been properly configured to receive updates. This security gap affected all of the Infected Users, whose laptops were not so configured. The investigations 6 See Re WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 at [18], Re Bud Cosmetics [2019] SGPDPC 1 at [24] and Re Chizzle Pte. Ltd. [2019] SGPDPC 44 at [6] to [8]. 7 Commission’s Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017) at [6.1]. 8 As an updated anti-virus software and Traps Software both offered protection against Emotet, the Organisation could have chosen to take a phased approach to its security review. 7 ST Logistics Pte Ltd [2020] SGPDPC 19 into the Incident revealed that if anti-virus software had been updated, it would have been able to block and remove Emotet at the material time; and (ii) Due to a rollout gap, the Traps Software was not installed on the laptops of some Organisation’s users. In contrast with signature-based anti-virus software (which is used to identify “known” malware), Traps Software detects malware based on their behaviour. This enables Traps Software to detect newly released forms of malware (which signature-based anti-virus software may potentially fail to detect) based on behavioural analysis. As mentioned at [4], this security gap affected all of the Infected Users, on whose laptops the Traps Software had not been installed. Conversely, the laptops of the remaining 7 Affected Users (who had also opened the malicious attachment) had Traps Software installed, and were accordingly protected from Emotet. 14 Based on the Commission’s preliminary findings, it appeared that the Organisation also did not conduct proper data protection training for its staff. In particular, the Organisation had conceded during investigations that not all the Affected Users had completed the relevant data protection training at the time the Incident occurred. The failure to conduct proper data protection training would have been an additional ground (other than the omission to conduct periodic security reviews to detect vulnerabilities in the IT system) in support of finding the Organisation in breach of the Protection Obligation. 15 However, the Organisation subsequently clarified in its representations to the Commission’s preliminary findings that its data protection training for its staff prior to the Incident included PDPA awareness programmes conducted in March and April 2019 and bi-monthly staff induction programmes covering 8 ST Logistics Pte Ltd [2020] SGPDPC 19 cybersecurity and PDPA compliance. In addition, the training material for the PDPA awareness programme, as well as relevant reference materials and the URL link to the Commission’s website were provided in the Organisation’s intranet to allow staff ready access to data protection related resources. 16 The Commission recognises that staff movement will always have to be factored into staff training programmes, and at any one point in time, there will always be members of staff at different stages of training. Having a training programme in place and a system to track staff training is therefore important. Thus, while not all the Affected Users had completed the relevant data protection training at the time of the Incident, the arrangements the Organisation had implemented towards trainings its staff on data protection was reasonable in the circumstances. 17 For the reasons set out at [13] above, the Commissioner finds the Organisation in breach of section 24 of the PDPA. 18 In addition to the representations made on data protection training, the Organisation also raised the following factors for consideration in support of a reduction in the quantum of financial penalty which the Commissioner intended to impose: (a) The Organisation had put in place reasonable security arrangements to protect the Disclosed Data prior to the Incident. These included advanced end point solution (Palo Alto Traps) on corporate servers and workstations; privileged access management; monitoring of security events through security information and events management systems; and web penetration test performed for corporate applications by CREST accredited vendor. Notwithstanding these arrangements, the Organisation was a victim of a phishing attack; and 9 ST Logistics Pte Ltd (b) [2020] SGPDPC 19 There was a low risk of harm arising from the Incident as the unauthorised access and use of the Disclosed Data by the cyber attacker were limited to email addresses. There was also no evidence that any Disclosed Data had been exfiltrated. 19 The Organisation’s representations that it had put in place reasonable security arrangements to protect the Disclosed Data prior to the Incident is not accepted. As explained at [13], the Organisation failed to conduct periodic security reviews to detect vulnerabilities in its IT systems. The requirement for organisations to conduct periodic security reviews to comply has been emphasised in the Commission’s previous decisions.9 Separately, the Organisation’s representation that there was a low risk of harm arising from the Incident is accepted and has been taken into account in determining the financial penalty. 20 Having carefully considered the representations, the Commissioner has decided to reduce the financial penalty to the amount set out at [22]. The quantum of financial penalty has been determined after due consideration of the low risk of harm arising from the Incident and the mitigating factors set out at [21]. The Commissioner’s Directions 21 In determining the directions, if any, to be imposed on the Organisation under Section 29 of the PDPA, the Commissioner took into account the Organisation’s cooperation with the investigations and its prompt and forthcoming responses to the Commission’s queries. 9 See cases listed at Footnote 6. 10 ST Logistics Pte Ltd 22 [2020] SGPDPC 19 Having considered all the relevant factors of this case, the Commissioner directs the Organisation to pay a financial penalty of S$8,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until it is paid in full. The Commissioner has not set out any further directions given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Financial Penalty,50724d913acafbfd43b21653cd18c545ba471871,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"