Breaches of the PDPA in relation to the transfer of employees’ personal data.
Singapore’s Personal Data Protection Commission has issued warnings to Toll Logistics (Asia), Toll Global Forwarding, Toll Offshore Petroleum Services, and Toll (TZ) for breaches of the PDPA in relation to the transfer of employees’ personal data to a human resources software vendor in Ireland.
On 11 June 2020, Toll Holdings notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the Group’s IT systems, including servers in Australia and Singapore containing the personal data of current and former employees of the Organisations (“the Incident”).
The PDPC subsequently received complaints from three former employees of Toll Logistics in relation to the Incident.
Investigations were commenced to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”).
In July 2013, Toll Holdings contracted with a vendor in Ireland (“the HR Vendor”) for the Group’s use of the HR Vendor’s human resources software platform (“the HR Platform”). To facilitate use of the common HR Platform, the respective Group entities (including the Organisations) uploaded the personal data of their employees to the HR Platform. The data uploaded to the HR Platform was hosted by the HR Vendor in data centres in the European Economic Area.
Subsequently in 2019, a series of Corporate Services Agreements (“CSAs”) and accession agreements were executed with the net effect that Toll Holdings
undertook to provide finance, human resources (“HR”), information technology (“IT”), legal, and other corporate services to all the Organisations. Although the CSAs were
inked in 2019, they took retrospective effect from 1 April 2018.
The services provided by Toll Holdings to the Organisations under the CSAs
(a) Development and maintenance of HR policies and procedures;
(b) Development and maintenance of IT strategy;
(c) Development and maintenance of IT policies and procedures; and
(d) Provision of IT support services.
Under the terms of the CSAs, Toll Holdings was permitted to appoint subcontractors to perform part or all of the services subject of the CSAs but was
responsible to the same extent as if it had performed the services itself.
The scope of IT services to be provided by Toll Holdings under the CSAs specifically excluded the “development or implementation of IT systems”, which responsibility presumably remained with the Organisations. To this end, the Organisations maintained ten servers in Singapore to support their operations. Three
of these servers (“the Singapore Servers”) were used by the Organisations’ corporate teams (i.e. finance, legal, HR) in the ordinary course of their work and contained personal data within the email archives and other working documents.
The Group (including the Organisations) had implemented various industrystandard security solutions for its IT systems such as end-point protection software, logging and monitoring software and/ services, firewall and intrusion prevention software, security detection and response software, identity access management and control software and services, vulnerability scanning software and services, and patching software. A Managed Security Service Provider (“MSSP”) was also engaged to provide cyber security detection and incident response services for the Group.
On 26 April 2020, a malicious actor gained access to Toll Holdings’ IT environment in Australia using credentials stolen from a third-party vendor. The thirdparty vendor had been granted administrative access to two servers in Toll Holding’s IT environment in order to provide support services for a software solution.
Having gained access to the Group’s IT environment, the malicious actor used advanced malware and a range of hacking tools to move through the Group’s network, conduct reconnaissance, and escalate account privileges. The malicious actor also made various efforts to bundle and compress data from the Australia Server and stage it for exfiltration.
Threat monitoring software deployed by the Group detected events related to the malicious actor’s account takeover and privilege escalation during the Incident and raised alerts to the MSSP. However, according to Toll Holdings, no alerts were brought to its attention. On 3 May 2020, the malicious actor exfiltrated less than 2% (two per cent) of the data stored on the Australia Server using a web-based file sharing service. The malicious actor then ran scripts to disable various endpoint protections across the Group and executed a ransomware attack. The ransomware attack
encrypted files on a number of the Group’s servers, including the Australia Server and the Singapore Servers.
When subsequently making ransom demands, the malicious actor provided Toll Holdings a summary of the files exfiltrated from the Australia Server and eventually uploaded portions of the exfiltrated files onto the dark web. Based on (i) the summary provided by the malicious actor, (ii) the Group’s review of the available logs and
records on the Australia Server, and (iii) a review of the files eventually published by the malicious actor on the dark web, the Organisations concluded that there was no evidence of exfiltration of the personal data of its current or former employees from the Australia Server.
In determining what directions (if any) should be given to the Organisations pursuant to section 48I of the PDPA, the Deputy Commissioner took into consideration:
(a) the Organisations’ cooperation with the Commission’s investigations;
(b) that access to the transferred personal data was limited to entities within
the same corporate group;
(c) that there was no evidence of any loss or damage resulting from the
Organisations’ contravention of the Transfer Limitation Obligation; and
(d) that the Group had already implemented intra-group contractual
arrangements to govern future transfers of personal data by the Organisations
to Toll Holdings.
Having considered all the mitigating factors listed above, the Organisations are administered a warning in respect of their breach of the Transfer Limitation Obligation.
No other directions are necessary for view of the remedial actions already taken by the Organisations.