pdpc_undertakings: 61
Data source: pdpc.gov.sg/Undertakings
This data as json
| _id | _item_id | id | organisation | url | timestamp | description | pdf-url | pdf-content | _commit |
|---|---|---|---|---|---|---|---|---|---|
| 61 | 3a286710ac17f10539aee032a26417de126da504 | 36 | Yayasan Mendaki | https://www.pdpc.gov.sg/undertakings/undertaking-by-yayasan-mendaki | 2024-04-22 | Background On 27 October 2022, Personal Data Protection Commission (the “Commission”) received a data breach notification from Yayasan Mendaki (the “Organisation”) informing that its on-premises VMWare ESXi servers were encrypted by a ransomware (the “Incident”). As a result of the Incident, the personal data of approximately 72,917 individuals, including their names, NRIC numbers, date of birth, phone numbers, email addresses and bank account details were encrypted and rendered inaccessible. A total of 2.7TB of data was also exfiltrated from YM’s servers but could not be confirmed to have contained any personal data. Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale. Investigation revealed that the Organisation had failed to remove the internet connectivity of a decommissioned web server. The threat actor(s) was believed to have exploited the vulnerabilities of the unpatched web server and then moved laterally to the other servers. Remedial Actions Upon discovering the incident, the Organisation immediately took the following actions: (a) Disconnected the on-premises network from the internet; and (b) Reset all user account passwords and performed a reset of the KRBTGT account. The Organisation also notified all potentially affected individuals of the Incident. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted a voluntary undertaking on 23 May 2023 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (“PDPA”). The Commission accepted the Undertaking after considering that the Organisation is a self-help group targeted at uplifting the Malay/Muslim community in Singapore, and the scale and potential impact of the Incident. Even though the Organisation’s servers and personal data had been encrypted, Dark Web monitoring did not indicate any exfiltrated data being published or put up for sale and if the exfiltrated data contained any personal data. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected the Organisation and the Commission’s policy of reserving the imposition of a financial penalty only in the most serious instances of a breach of the PDPA. The Organisation also provided a comprehensive Undertaking that sought to rectify the gaps identified during our investigations. As part of the Undertaking, the Organisation decommissioned the entire on-premises network to migrate to a cloud-based network and implemented technical measure such as two-factor authentication, network access via virtual private network and IP restrictions to improve its authentication and access control measures. The Organisation also reviewed and updated all its IT security policies and practices. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---yayasan-mendaki.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2210-C0365 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Yayasan Mendaki (UEN No. 198902633C) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 9 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Yayasan Mendaki ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 9 SCHEDULE A Page 3 of 9 SUMMARY OF FACTS 1. On 27 October 2022, the PDPC was informed that the Organisation’s servers were encrypted by a ransomware attack. Preliminary investigation had revealed that only the on-premises network was affected while the cloud infrastructure was not affected. 2. After conducting forensic investigation, the Organisation discovered that approximately 2.7TB of data had been exfiltrated from a virtual file server. However, the contents of the exfiltrated data could not be determined and none of the exfiltrated data has been published, leaked or put up for sale on the Dark Web. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial actions to address the cause of the personal data breach and notified the potential affected individuals. Page 4 of 9 SCHEDULE B Page 5 of 9 REMEDIATION PLAN BY YAYASAN MENDAKI (“YM’) No. Remediation action Status Target Completion 1 Implement phishing awareness training for all newly onboarded YM staff members as part of YM’s staff onboarding and orientation process. Reviewing and confirming software patches are up to date. Reviewing and updating YM’s firewall policy On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 4 Running software scans on all staff-issued laptops. On going By 31 December 2023 5 Consulting with cybersecurity experts to: (a) Assist with YM’s migration from on-premise servers to cloud servers; (b) Implement and improve cybersecurity on YM’s cloud services and server environment. On going By 31 December 2023 6 Implemented a data export limit/restriction to detect and alert YM if large amounts of data are exported from its servers Restricted access to YM’s servers based on the location of origin of the relevant IP address Implementing Cisco Cloud Email Security as an added layer of YM staff email security Implemented two-factor authentication (with a fresh prompt every 24 hours) on access to YM’s servers and services. Implemented time-specific access restrictions to YM’s cloud servers and services On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 2 3 7 8 9 10 Page 6 of 9 11 12 13 14 15 16 Implemented third party cloud backup for YM’s user accounts and email Disabled permissions for: (a) Connecting unauthorised personal devices to YM’s servers; and (b) Connecting removable storage devices (via USB ports) to staff-issued laptops Reviewing the use of wireless devices with staff-issued laptops. Restricted file sharing between staff members only via YM’s internal Sharepoint platform, and disabling file sharing using other methods/platform To implement virtual private network (VPN) to separate cloud environment from the Internet To update password policy to adopt stronger passwords of at least 12 alphanumeric characters to be in line with CyberSecurity Agency of Singapore’s guidelines On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 On going By 31 December 2023 Not started By 31 December 2023 Not started By 31 December 2023 Page 7 of 9 SCHEDULE C Page 8 of 9 Case number: DP-2210-C0365 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Yayasan Mendaki (UEN No. 198902633C) … Organisation DECLARATION I refer to the voluntary undertaking dated _________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date _______________________ ________________________ Name Designation Page 9 of 9 | 1013 |
Links from other tables
- 1 row from _item in pdpc_undertakings_version