pdpc_undertakings: 31
Data source: pdpc.gov.sg/Undertakings
This data as json
| _id | _item_id | id | organisation | url | timestamp | description | pdf-url | pdf-content | _commit |
|---|---|---|---|---|---|---|---|---|---|
| 31 | f981ac0d28f349a756b93a3180f8b6337d51dec5 | 31 | OG Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-OG-Pte-Ltd | 2023-08-16 | Background On 4 January 2022, OG Private Limited (the "Organisation") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data. Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained "dummy data" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals. The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd ("Poket") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) SQL injection prevention enhancement; (b) Streamline data storage; (c) Harden web portal security; (d) Implement annual security review; and (e) Tighten protocols for contracting with 3rd party vendors. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the "Undertaking"). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---OG-Private-Limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: OG Private Limited UEN: 196200157H Registered Address: 60 Albert Street #05-01 (189969) OG Albert Complex, Singapore (hereinafter referred to as the “Organisation’). By signing this Undertaking, the above-named Organisation matters stated herein and undertakes to the Commission 1. DEFINITIONS 1.1 In this Undertaking: acknowledges the in the terms set out herein. (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts Ill, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) |The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) Asaresult of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48] or 48J of the PDPA. (c) |The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1of 11 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) 2.2 Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation's duly executed Undertaking. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 11 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission's rights and statutory powers (including but not limited to those under sections 481, 484J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. Page 3 of 11 SIGNED, for and on behalf of OG Private Limited By the following: Name: Designation: Date: ACCEPTED by Name: Designation: Deputy Commissioner/Commissioner Personal Data Protection Date: Page 4 of 11 SCHEDULE A Page 5 of 11 SUMMARY OF FACTS 1. On 4 January 2022, OG Private Limited received emails from Desorden Group stating that personal data have been stolen and demanded USD$90,000 in return for not publishing the stolen data. a ransom of It was identified that a threat actor had conducted a Bruteforce SQL Injection attack and was able to download 3 databases. As a result of the attack, the personal data of the Organisation’s approximately 276,677 individuals including their name, gender, address, date of birth, email address, telephone numbers, NRIC numbers affected. (encrypted) and passwords (encrypted) could have been Page 6 of 11 SCHEDULE B Page 7 of 11 S/N Item Status Target Completion (MMM-YY) SQL Injection Prevention Enhancement Completed Jan-22 Completed Jan-22 Completed Jan-22 Strengthened the existing SQL injection code to prevent future brute force SQL injection attacks. Additional IP Blocking Measure To further shorten the lead-time for blocking suspicious traffic, the system was upgraded to automatically block any IP generating 50 or more connections per minute at any time. With this implementation, there are now 2 levels of checking/blocking. First, the system will automatically block suspicious traffic. Second, the system continues to send suspicious activity alerts to our vendors’ 24/7 duty team who will investigate and respond appropriately. Data Security Enhancement: After the attack, we increased the security of the personal data in the database: i. i. i. Encrypted member names Encrypted email addresses Encrypted mobile phone numbers Page 8 of 11 Completed Jan-22 Completed Jan-22 In progress Jun-22 Carrying out Vulnerability Assessment and Penetration Testing (VAPT) i. Updating and patching server software iii. Installing or updating appropriate computer security software (including virus checking) In progress Harden Web Portal Security Jul-22 Streamline Data Storage We made changes to our membership program to enable further reduction in the types of personal data that we collect and store: i. Deleted member dates of birth from the server ii, Deleted member NRIC numbers from the server Immediate Password Security Measure i. i. Changed system setting to force members to reset their passwords on next login. Changed passwords for all online databases and cloud-based services. Tighten System Security Comprehensive security review including: i. Implement reCAPTCHA to detect abusive traffic and prevent brute force attack ‘Additional Data Security Enhancement: In progress Aug-22 Encrypt member address. The data encryption algorithm is AES-256 algorithm with secret key Page 9 of 11 Implement Annual System Security Review On-going On-going In progress Sep-22 In progress Oct-22 In progress Nov-22 Establish SOP for annual security review and Vulnerability Assessment and Penetration Testing (VAPT) 10 Hardening of Website Security In additional to AWS Firewall on server level, will implement additional Firewall on application level to harden the security. 11 Implementation of Two-Factor Authentication Two-Factor Authentication (“2FA’”) implemented for all admin users login. 12 will be Tighten Protocols for Contracting with 3 Party Vendors i. ii. iii. Vendor selection due diligence Checklists for IT vendors providing IT solutions Checklists for vendors processing personal data iv. V. SOPs for 3 parties handling personal data Review contract terms and conditions for adequate protection and risk management, and compliance with data protection regulations. Page 10 of 11 13 Inhouse PDP review and implement PDP (Training In Progress Nov-22 Engage PDP consultant firm to review existing data protection protocols and implement SOP for longoing training of employees and/or associates in handling of personal data and ensuring data security. Page 11 of 11 | 1004 |
Links from other tables
- 2 rows from _item in pdpc_undertakings_version