pdpc_undertakings_version: 67
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 67 | 58 | 1 | 1007 | 33 | AEM Holdings Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-aem-holdings-ltd | 2023-12-14 | Background The Personal Data Protection Commission (the "Commission") was notified by AEM Holdings Ltd. ("AEM") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network ("VPN") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information. The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the "Incident"). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints. Remedial Actions After the incident, as part of a remediation plan, AEM put in place the following measures: (a) Implemented a third-party vendor cybersecurity risk management policy; (b) Implemented standard contractual clauses for contracting with third-party vendors; (c) Implemented regular cybersecurity reviews; and (d) Reviewed and enhanced its data classification policy. The Commission was also satisfied with the additional actions undertaken by AEM. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the "Undertaking"). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission's practice with respect to other personal data breaches similar to the one that affected AEM. AEM has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that AEM has compiled with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---aem-holdings-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2207-9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 8 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) AEM Holdings Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 8 SCHEDULE A Page 3 of 8 SUMMARY OF FACTS 1. On 1 July 2022, the PDPC was informed by the Organisation about the deployment of ransomware on its network. 2. As a result, the personal data of 18,135 individuals including their names, personal contact information, identification numbers, employment records, date of birth, race, religion, COVID-19 test results and vaccination information, shareholding information, employee bank account number, profile photographs and fingerprints were encrypted and/or exfiltrated. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 8 SCHEDULE B Page 5 of 8 REMEDIATION PLAN S/N Item Status Target Completion June 2023 1 Implement a third party vendor In progress cybersecurity risk management policy. 2 Implement a standard set of contractual In progress clauses for use in, as well as a contracting playbook to rely on when negotiating, contracts with relevant third party vendors identified following implementation of the third party vendor cybersecurity risk management policy referenced in s/n 1 above. Q3 2023 3 Perform regular cybersecurity reviews, with Periodic prompt action to be taken for any identified risks as reasonably practicable. Periodic 4 Review and enhance the data classification In progress policy. June 2023 Page 6 of 8 SCHEDULE C Page 7 of 8 Case number: DP-2207-B9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation DECLARATION I refer to the voluntary undertaking dated _______________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 8 of 8 | 3f803fa056cb3958fe38b7c024550a1cd44acec5 |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed