pdpc_undertakings_version: 73
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 73 | 62 | 1 | 1013 | 37 | Sunray Woodcraft Construction Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-sunray-woodcraft-construction-pte-ltd | 2024-04-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Sunray Woodcraft Construction Pte. Ltd. (the “Organisation” or “SWCPL”) on 11 May 2023 of a personal data breach involving the unauthorised access and exfiltration of personal data (the “Incident”). Investigations revealed that a malicious actor had utilised a ransomware-as-a-service against SWCPL’s corporate environments, by exploiting vulnerabilities or using compromised credentials. While the exact cause of the breach could not be determined, the malicious actor encrypted the Organisation’s files containing the personal data of 2,130 individuals who were the Organisation’s current or ex-employees or who had previously sought employment with the Organisation. The types of personal data affected included the name, address, NRIC number, passport number, date of birth, contact information, photographs, and payroll information. In addition, for 689 individuals out of the 2130 individuals affected, their personal email address was also affected. Remedial Actions Upon discovery of the Incident, SWCPL had taken prompt remedial actions including tightening the access controls to sensitive system interfaces, updating the latest patches to the firewall, strengthening the firewall rules, resetting the privileged accounts and passwords, and deploying an Endpoint Detection and Response software to continuously monitor end-user devices within its network. Undertaking Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from SWCPL to improve its compliance with the Personal Data Protection Act 2012. The Undertaking was executed on 25 October 2023. As part of the Undertaking, SWCPL implemented the following: (a) Engaged Telstra Singapore for Cyber Detection and Response services to manage and oversee its IT environment; (b) Implemented risk assessments on any changes towards its environment to identify the potential impacts and minimize risks; (c) Transmit and retain logs for 90 days using Telstra’s Security Operations Centre; (d) Deployed a vulnerability scanner to regularly scan assets; (e) Enhanced its backup solution to utilise a secured cloud-based data storage; (f) Keep an inventory of hardware/software assets and user accounts; (g) Implemented a Personal Data Protection policy and an Incident Response plan; (h) Enforced multi-factor authentication for all VPN users; and (i) Implemented Group Policy Object policies to ensure users do not use default usernames and simple passwords, and to enforce account lockouts after several failed login attempts. The Commission was satisfied with the Undertaking proposed by SWCPL and accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other personal data breaches similar to the one that affected SWCPL. SWCPL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and is satisfied that SWCPL has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---sunray-woodcraft-construction-pte-ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2305-C1003 In the matter of an investigation under section 50(1) And (1) Sunray Woodcraft Construction Pte Ltd (UEN No. 198703016K) Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and findings set out at Schedule A to this Undertaking. Page 1 of 13 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Sunray Woodcraft Construction Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 13 SCHEDULE A Page 3 of 13 SUMMARY OF FACTS 1. On 11 May 2023, the PDPC was notified by Sunray Woodcraft Construction Pte Ltd SWCPL of a ransomware attack on its servers on or about 25 April 2023 causing loss of access to IT systems and encryption of files with personal data. 2. As a result, the personal data of 2,130 individuals including their names, addresses, personal email addresses (in respect of 689 individuals), telephone numbers, NRIC numbers, passport numbers, photographs, dates of birth, bank account numbers and salary information was affected. 3. To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. Page 4 of 13 SCHEDULE B Page 5 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) Software in use will be updated to the latest version available. Completed Technical remediation 1 Exploitable vulnerabilities in software used. 2 SWCPL will evaluate December 2023 and thereafter implement/deploy technological measures to ensure that software on all devices is updated as new patches become available. 3 SWCPL will conduct a risk assessment for software that cannot be updated (e.g., because it is needed for compatibility with legacy hardware such as CNC machines / laser cutters), to evaluate vulnerabilities, threats, impacts, mitigation measures, business context, compliance, and risk acceptance to inform decision-making and appropriate prioritization of resources for effective risk management. December 2023 SWCPL will enforce multi-factor authentication for all Completed 4 Lack of enforcement of multi-factor Page 6 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) authentication for virtual private network access. account logins for VPN connections to its IT systems. Inadequate maintenance of security software (e.g. antivirus, firewalls). SWCPL will update all security software to the latest version available, including updating antivirus patterns. Completed 6 SWCPL will evaluate and thereafter implement/deploy technological measures (such as vulnerability scanning engines) to ensure that security software is updated as new patches become available. December 2023 7 SWCPL will conduct a thorough firewall rules review to ensure adequate protection for SWCPL. Any issues identified will be resolved. Completed 5 8 security defense, SWCPL is evaluating and will deploy intrusion detection systems (IDS), intrusion prevention systems (IPS), or endpoint detection and response (EDR) to strengthen its SentinelOne (an EDR) has already been deployed. IDS/IPS will be managed through our Palo Alto firewall, which has already been deployed. Continuous evaluation and fine Page 7 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) cybersecurity profile. SWCPL will also perform continuous evaluation and finetuning of IDS. IPS, and EDR. tuning will be performed as necessary. 9 Use of default usernames for highprivilege accounts. SWCPL will change usernames for highprivileged accounts that are default usernames. Technological policies will be implemented to ensure that default Completed 10 Weak enforcement of secure passwords. SWCPL will strengthen password enforcement by implementing Group Policy Object (GPO) policies that enforce compliance with SWCPL's password policy on complexity, length, and expiry. Completed 11 Account lockout policies SWCPL will enforce automatic account lockout policies which will lockout an account after 5 failed login attempts. Completed 12 On-premises backup SWCPL will evaluate dependency increases and thereafter vulnerability to data loss implement of off-site or unavailability during Evaluation will be completed by November 2023. Actual backups will be Page 8 of 13 No. Potential Risk Factors / Improvement Areas Remediation Plan Target Completion (Date) disasters or cyberattacks. back tape backup or cloud-based backup performed as necessary. Implementation of centralized logging capabilities to ensure that system logs are available in the event of a cyber incident. SWCPL will evaluate and thereafter implement systems to retain and adequately secure logs from network devices, local hosts and cloud services, etc for at least 90 days. November 2023 13 Policies / Process Remediation 14 Strengthen incident response plan. SWCPL will draft an November 2023 Incident Response Plan that includes an outline of the scope, incident response methodology, incident response phases, guidelines for the incident response process, and documentation, tracking, and reporting procedures, ensuring a comprehensive and tested approach to addressing information security incidents. 15 Vulnerability testing SWCPL will research available vulnerability testing solutions to conduct a suitable penetration test after the abovementioned steps. Research on vulnerability testing solutions will be completed by November 2023. Penetration testing will Page 9 of 13 No. Potential Risk Factors / Improvement Areas 16 Implementing asset management actions to ensure that information assets are available and accurate. Remediation Plan Target Completion (Date) SWCPL will also implement periodic penetration testing. be conducted as needed. SWCPL will implement the following asset management actions: Items 1 and 2: November 2023 1. Keep an inventory of hardware and software assets to identify outdated hardware and software. Item 3: Completed. SWCPL is actively maintaining this network diagram. 2. Keep an inventory of user accounts. 3. Maintain an updated network diagram of network. 17 Implementing account management actions to ensure security of user accounts SWCPL has in place the Item 1: SWCPL already following account has in place such management actions. procedures and processes. SWCPL will 1. Implementing regularly review these procedures and procedures and processes to processes to ensure perform periodic that they are complied review of user with. accounts and removal of Item 2: Completed. inactive SWCPL will regularly accounts. review these procedures and Page 10 of 13 No. Potential Risk Factors / Improvement Areas Target Completion (Date) Remediation Plan 2. Enforcing the processes to ensure - that they are complied with. control user access rights. 18 Implementing written policies/processes/guid elines relating to the collection, use, disclosure, protection and retention of personal data in the possession and/or custody of SWCPL and/or its employees. SWCPL will review and update its internal policies/processes relating to the collection, use, disclosure, protection, and retention of personal data in the possession and/or custody of SWCPL and/or its employees, including but not limited to ensuring the proper documentation of the policies and processes and enhancing training for all staff on their data protection. November 2023 Page 11 of 13 SCHEDULE C Page 12 of 13 Case number: DP-2305-C1003 In the matter of an investigation under section 50(1) And (1) Sunray Woodcraft Construction Pte Ltd (UEN No. 198703016K) DECLARATION I refer to the voluntary undertaking dated [___________] given by the Organisation to the Personal Data Protection Commission pursuant to section 48L of the Undertaking I declare that the remediation plan set out at Schedule B of the Undertaking has been completed. I acknowledge that by making a false declaration or providing false or misleading information to the Personal Data Protection Commission, I may be prosecuted for offences under section 51(3)(c) of the Personal Data Protection Act 2012 and/or section 182 of the Penal Code 1871. ________________________ Signature _______________________ Date ________________________ ________________________ Name Designation Page 13 of 13 | 96dcbf886a997c56857805ee9335ab6df1d37840 |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed