July 2022 PDPC incidents and undertaking

July 2022 PDPC incidents and undertaking

The July 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, six (6) cases have been issued covering the financial penalties of Audio House, Terra Systems, and Quoine, the directions issued to Crawfort, and the Undertakings to be followed by HSL Constructor and Asia Petworld.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the July 2022 cases with the latest cybersecurity updates to date.

July 14: Audio House’s breach of the Data Protection Obligations

Our first case of PDPC Incidents and Undertaking involves Audio House. On June 01, 2021, the organisation notified the PDPC that its customer database had been subjected to a ransomware attack. With this, approximately 98,000 individuals’ names, addresses, email addresses, and telephone numbers, in the nature of contact information, were affected. 

Upon investigation, it was found out that the PHP files used to develop a web application on its website contained vulnerabilities that allowed a malicious actor to carry out an SQL injection attack. With this incident, Audio House was ordered to pay a financial penalty of S$10,000.

What we can get from this case is the importance of conducting a periodic security review. This would include vulnerability scanning and assessments, which would offer the organisation the opportunity to detect vulnerabilities that were not detected during the pre-launch tests or any vulnerabilities that may have arisen since. 

Also Read: Why cybersecurity is important for businesses in Singapore

July 14: Terra System’s breach of the Data Protection Obligations

Our second case of PDPC Incidents and Undertaking involves Terra Systems. On July 27, 2020, the PDPC was informed by the Singapore Police Force that a customer relationship management portal by Terra Systems had been accessed and modified. This contained the personal data of persons served with “Stay-Home Notices” or SHN.

Upon investigation, it was found that the perpetrator was a disgruntled ex-employee who acquired the daily common password from another employee, not knowing that such employee had been terminated and could have unauthorised access to the SHN Data. With this, the organization was ordered to pay S$12,000 for the incident.

What we can get from this case is the importance of implementing robust IT access controls so that this kind of incident will not happen. This can be done by utilizing unique IDs and passwords instead of a daily common password that can be easily guessed. 

July 14: Quoine’s breach of the Data Protection Obligations

Our next case of PDPC Incidents and Undertaking involves Quoine. On November 17, 2020, the organization informed the PDPC that its domain manager had transferred control of its domain hosting account to an external actor, and such actor accessed and exfiltrated the personal data of 652,564 of its customers. The PDPC also received a complaint from an individual who was believed to have been affected by the incident. 

Investigation revealed that Quoine had contracted with a third-party Domain Provider to register and host the Organization’s domain. However, social engineering attacks on the staff of this domain provider allowed them to mistakenly hand over control of the organization’s domain hosting account to an external actor.

This incident allowed the external actor to access the Organization’s Cloud Platform, which contained API keys and tokens for the Organization’s cloud-hosted database as well as a separate cloud computing storage database. As a result, the external actor was given access to the Databases and was able to access and exfiltrate the personal data that was kept there. With this incident, the organization was ordered to pay a whopping S$67,000 for the incident.

What we can get from this case is the importance of carrying out periodic security reviews to ensure that the organisation’s websites collecting personal data and electronic databases storing personal data have “reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. This is also to detect any vulnerabilities and assess security implications and risks. 

July 14: The directions issued to Crawfort

Our next case of PDPC Incidents and Undertaking involves Crawfort. On June 09, 2021, the organization notified the PDPC that its customer data was being sold on the dark web and affected the personal data of 5,421 customers.

Upon investigation, it was found out that there was an opened S3 server port in the Organisation’s AWS environment which was used for its Data Migration exercise. This then became the entry point of the threat actor.

With this, the PDPC directed the organisation to do the following:

1. To engage a qualified security service provider to conduct a thorough security audit of its technical and administrative arrangements for the security and maintenance of its AWS S3 environment that contains personal data in the organisation’s possession or control; 

2. Provide the full security audit report to the Commission no later than 60 days from the date of the issue of this direction; 

3. Rectify any security gaps identified in the security audit report, review and update its personal data protection policies as applicable within 60 days from the date the security audit report is provided; and 

4. Inform the Commission within one week of completion of rectification and implementation in response to the security audit report. 

July 14: Undertaking by HSL Constructor

Our next case of PDPC Incidents and Undertaking involves HSL Constructor. On October 07, 2021, the organisation notified the PDPC that it was subjected to a ransomware attack on 30 September 2021, and as a result of the attack, 3 of its servers and a Network Attached Storage (NAS) were encrypted.

The Personal data of 758 current and former HSL employees were encrypted, including their name, NRIC number, residential address, email address, family information, salary information, and medical information. 

Upon investigation, It was found out that the threat actor(s) had likely gained access to HSL’s network by exploiting the vulnerabilities present in the outdated software used on 2 of its servers or using compromised credentials.

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

1. Implement multifactor authentication for all administrator access, for users with administrative privileges, and for accounts with access to sensitive data/ systems;
2. Supplement existing email reminders on cybersecurity best practices with regimented user awareness training;
3. Decommission all servers running Windows Server 2008 R2 and below;
4. Install endpoint protection on all servers;
5. Patch all servers and firewall;
6. Reset all admin account passwords; and
7. Close unused ports on its firewall.

July 14: Undertaking by Asia Petworld

Our last case of PDPC Incidents and Undertaking involves HSL Constructor. On September 08, 2021, the organisation notified the PDPC that its systems had been subjected to unauthorized access. 

With such access, the threat actor(s) had deleted APPL’s servers, including its backup servers and backup data, made mass PayPal payments and Airwallex bank transfers from the personal accounts belonging to APPL’s senior management, and potentially accessed employee payroll sheets in an email account belonging to APPL’s senior management. 

With this incident, approximately 21,000 customer’s personal data was potentially disclosed, including their names, addresses, telephone numbers, and email addresses. This also included the personal data of 60 employees.

Luckily, APPL has since recovered the data via backup as of 12 July 2021. 

With this incident, the organisation had set up remedial actions to be undertaken and was accepted by the PDPC. This is to improve its data protection practices and its compliance with the PDPA:

1. Reformat each PC and desktop in its warehouse and office and install a clean Windows 10 environment;
2. Reset all Windows passwords and implemented a password length of at least 20 characters long with complex requirements. Users were also reminded not to store passwords in plain text. Further, APPL also applied a password on documents containing personal data when transmitted over the internet;
3. Enabled 2FA on all available applications and services;
4. Implement staff training to enhance knowledge in personal data, safety, and cyber security knowledge; and
5. Harden system access, including enhancing access controls, performing regular patching, etc.

Also Read: The Singapore financial services and markets bill: Everything you need to know