pdpc_undertakings_version: 68
This data as json
_id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
---|---|---|---|---|---|---|---|---|---|---|---|
68 | 59 | 1 | 1009 | 34 | Low Keng Huat (Singapore) Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-low-keng-huat-ltd | 2024-02-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Low Keng Huat (Singapore) Limited (“LKHS”) on 4 July 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had gained initial access to LKHS's IT environment remotely. The firewall was not configured and therefore unable to block malicious traffic. The vendor was responsible for managing the firewall system, and no testing was conducted before the system went live after an upgrade. As a result, server logs were missing during that period, and security threat protection was not enabled in the system. The malicious actor likely exploited a critical vulnerability to obtain LKHS's workstation credentials and compromise email accounts. The malicious actor successfully deployed ransomware, encrypting and/or exfiltrating the personal data of 1,400 individuals (the “Incident”). The personal data affected included their personal contact information, emails, IC and passport scans, date of birth, sale and purchase agreements, and option to purchase documents. LKHS has been conducting monitoring and has not found any evidence to suggest that the personal data affected in the incident has been misused. Remedial Actions After the Incident, as part of a remediation plan, LKHS put in place the following measures: (a) Patched all software and outdated firmware. (b) Updated and completed all IT hardware and software asset lists. (c) Implemented clear vendor management and account responsibilities processes. (d) Reviewed and resolved firewall issues and eliminated the need for VPN. (e) Implemented strong security settings for servers and updated all workstations with endpoint protection. (f) Implemented 2FA and more stringent password policies. (g) All LKHS’s accounts have undergone a successful security audit, with evidence of log file visibility. (h) Scheduled a yearly cybersecurity and IT training for all staff. (i) Implemented new software and patch management policy. The Commission was also satisfied with the additional remedial actions undertaken by LKHS. Undertaking Having conside red the circumstances of the case, the Commission accepted an undertaking from LKHS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2023 (the "Undertaking"). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected LKHS. LKHS has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that LKHS has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---low-keng-huat-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2308-C1305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Low Keng Huat (Singapore) Limited (UEN No. 196900209G) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 12 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Low Keng Huat (Singapore) Limited ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 12 SCHEDULE A Page 3 of 12 SUMMARY OF FACTS 1. On 31 July 2023, PDPC was notified by Low Keng Huat (Singapore) Limited (“LKHS”) of a data security incident on 4 July 2023 involving ransomware encryption and possibly data exfiltration. LKHS staff had reported being unable to access the Organisation’s workstations. 2. As a result, the personal data of 1,400 individuals including their names, addresses, personal email addresses, telephone numbers, NRIC numbers, passport numbers, photographs, dates of birth, transaction information was affected. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 12 SCHEDULE B Page 5 of 12 S/N PROPOSED STEPS TARGETED TO ADDRESS THE COMPLETION CAUSE DATE Tightened Governance over Outsourced Vendors and Infrastructure Review and enhance vendors’ execution of patches for each Windows and nonWindows platform 1. LIKELY CAUSES OF INCIDENT Unpatched software and outdated firmware a. List all patches and firmware updates communicated and executed by vendors on stated date b. Physically check for evidence that such patches and updates are completed 20 Oct 2023 Audit Frequency: Monthly (on a Friday after Microsoft “Patch Tuesday”) c. Research any other available patches and updates not covered by vendors Review and enhance current asset management processes: 2. Outdated and incomplete IT hardware and software asset lists a. Record and document any event(s) necessitating fresh review b. Review and update inventory 27 Oct 2023 Audit Frequency: Event-driven as Page 6 of 12 list(s) where necessary c. Check list(s) with actual (sighted) physical items defined or Annually, whichever is earlier. Review and enhance vendors and account management process: 3. Breakdown of vendor management and account responsibilities processes a. Record and document any event(s) necessitating fresh review b. Review and update account management processes where necessary 20 Oct 2023 Audit Frequency: Event-driven as defined or Annually, whichever is earlier. a. Record and document any event(s) necessitating fresh review 4. 20 Oct 2023 b. Full firewall Firewall not review: check Audit Frequency: managed, rules, logs, Event-driven as absence of rules bandwidth defined or and log files monitoring, list of Annually, monitoring super admin whichever is users, access earlier. security through Internet, logs monitoring, reporting frequency. The immediate actions taken post incident had already fixed all firewall issues identified. We intend for another round of manual checks before the target completion date and provide Page 7 of 12 screenshots, log files as part of the status report at the end of the voluntary undertaking. In the event LKHS switches service provider, or changes the type of firewall used, we will repeat all the tasks as detailed in above. 5. VPN software end of life Removed need for VPN, no longer using the VPN solution. Files and folders access via Microsoft Sharepoint. N.A. Post incident, LKHS has discontinued the use of a VPN for external access to on-premise (local site) file servers. LKHS staff now use the public Internet to access files stored on Microsoft Sharepoint cloud. Existing local file servers (on-site) can be accessed only when physically in office, and using existing Active Directory credentials. LKHS has concluded there is no requirement to access any corporate work and assets from the Internet. The Management’s decision is to use cloud Sharepoint as the main file access and sharing functionality without any need for a VPN. The previous VPN and local Active Directory security mechanism has been replaced with Microsoft's Azure Active Directory ("AAD") Authentication and Identity Management features. Authorised LKHS staff have been registered with the AAD and users need to sign in with their Azure AD credentials. Multi-factor authentication will be enforced as part of the LKHS remediation plan. 6. LKHS uses Sharepoint's Role-Based Access Control (RBAC) to manage permissions and access. LKHS administrators will assign permissions to users and groups at various levels. Folder owners (designated staff) will need to grant privilege access to their respective team members, based on internal requirements. Cybersecurity Enhancements Work with vendors to Weak security harden infrastructure 18 Oct 2023 settings for using CIS servers benchmarks, Page 8 of 12 vendors’ knowledge base or Windows Group Policy Objects Implement endpoint protection for all LKHS staff 7. Lack of endpoint protection a. List all end users with and without endpoint antivirus software installed 31 Oct 2023 b. Monitor effectiveness and any expiry dates 8. 9. a. Implement Microsoft 2FA, password security and rules Weak Microsoft account passwords, lack of b. Review password 2FA policies and enforce strong password requirements Lack of log file visibility and management Monitor logs from key servers / firewall 18 Oct 2023 27 Oct 2023 Explore centralised log server to consolidate logs from key servers S/N 1. Staff Communication/Education and IT Policies IDENTIFIED AGENDA MODE AND SUBSEQUENT GAPS NEXT FREQUENCY SCHEDULED DATE No schedule for Online or in staff • Cybersecurity person communication Once per year Training Page 9 of 12 and training on cybersecurity matters 2. Lack of detail and actionable steps in current IT Policies Weak enforcement of policies related to IT Governance • Training on LKHS IT Acceptable Use Policy • LKHS-IT-01 Vendor Management Policy • LKHS-IT-03 Acceptable Use Policy • IT Policy in Software and Patch Management Within 1 month after remediation timeframe To extract and follow PDPC’s Guides. Events when the policies are updated Once per year Page 10 of 12 SCHEDULE C Page 11 of 12 Case number: DP-2308-C1305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Low Keng Huat (Singapore) Limited (UEN No. 196900209G) … Organisation DECLARATION I refer to the voluntary undertaking dated ________ given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Act (“the Undertaking”). I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 12 of 12 | 2acd6b8fce9caed3a0f1615035c5c365f7429d93 |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed