Unauthorised access of approximately 20,000 individuals’ and companies’ was preventable.
Singapore’s Personal Data Protection Commission (PDPC) has fined Tripartite Alliance SG$29,000. According to the PDPC Tripartite failed to put in place reasonable security arrangements to prevent the unauthorised access of approximately 20,000 individuals’ and companies’ data stored in its customer relationship system database.
The Tripartite Alliance for Fair and Progressive Employment Practices (TAFEP) was set up in 2006 by the tripartite partners (Ministry of Manpower, National Trades Union Congress, and Singapore National Employers Federation), to promote the adoption of fair, responsible, and progressive employment practices.
In early March 2020, Tripartite notified the PDPC that a server hosting its customer relationship management (“CRM”) system was infected with ransomware on or around 17 February 2020.
The organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure.
In this regard, Tripartite voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”).
The CRM system was a Software-as-a-Service (“SaaS”) solution provided by a software service provider engaged by the Tripartite (the “Vendor”), which Tripartite used to handle employment-related enquiries, feedback, and complaints.
At the time of the incident, the CRM system contained approximately 12,000 individuals’ and 8,000 companies’ data (including information of the companies’ representatives). The types of data affected for each individual varied, but may include an individual’s name, identification number, contact number, email address, age, race, marital status, salary, and compensation amount (if applicable).
At the time Tripartite claimed that it had, since June 2019, expanded the scope of the IT services procured from the Vendor to include security monitoring services for the CRM system, such as the blocking of cyber-attacks based on alerts. However, there was inadequate process put in place to ensure that the vendor proactively monitor the alerts and take actions to block malicious activities in a timely manner.
Although Tripartite accepts that it had the responsibility to ensure that the vendor had the same understanding on its duty of care under the monitoring services contract and to oversee and supervise the work of the Vendor through clear instructions on regular reporting and updates by the Vendor.
Following the incident, the Tripartite started close monitoring of the vendor’s IT services support on a weekly basis to ensure timely update of patches and follow-ups on security alerts received. The Tripartite also undertook an organisation-wide review to strengthen its management of all its third-party IT service providers, such as requesting these service providers to conduct cybersecurity audits, vulnerability assessment and penetration testing for its existing IT systems.
The Tripartite also informed the Commission that it will be migrating to a new CRM system and is currently working to terminate the existing CRM system.
The organisation informed the Commission that the database in the CRM system was not protected by encryption at the time of the incident, which made the database vulnerable for exposure. However, there was no evidence that the hacker had exfiltrated the database.
Tripartite admitted that it had breached the Protection Obligation under section 24 of the PDPA in failing to ensure that the vendor had duly discharged its contractual data protection obligations. In particular, the Tripartite admitted that it had not monitored the vendor’s performance to ensure that the Vendor met the required information security standards.
In the circumstances, the Commissioner found that Tripartite was in breach of the Protection Obligation under section 24 of the PDPA.
As for the Vendor, it was a SaaS provider who provided the CRM system, including maintenance support, and security monitoring services. These services did not entail the processing of personal data. As such, the Vendor was not a “data intermediary” of the Tripartite.
Accordingly, the vendor was not responsible for the protection of the individuals’ personal data under the PDPA in respect of the incident.
In determining the directions to be imposed on the Tripartite for the breach, the Commissioner considered the following factors:
- Aggravating – the high number of affected individuals, which is approximately 20,000
- The nature of the affected data. In particular, the database contained details of employment-related complaints and disputes. Individuals would expect a high level of confidence when they convey such matters to the Tripartite for handling
- Mitigating – The Tripartite’s upfront admission of breach of the Protection Obligation, and the prompt remedial actions to mitigate the effects and prevent recurrence of the incident
- There was no evidence of exfiltration of the database in the CRM system.