The organisation failed to put in place reasonable measures to protect personal data on its database servers.
The Personal Data Commission (PDC) in Singapore has imposed a penalty of S$25000 on Singapore-based digital design company – Webcada.
According to the PDC the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA.
On 4 September 2020, Webcada Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that three of its database servers had been subjected to a ransomware attack on 29 August 2020 (the “Incident”).
The personal data of 522,722 individuals were affected in the Incident. The datasets affected comprised of the individuals’ names, phone numbers, and dates of birth, addresses and order histories.
Following the Incident, the Organisation engaged an independent third-party consultant to investigate, review and assist in the implementation of additional data protection measures.
The Organisation took the following remedial measures after the Incident:
- IPMI was permanently disabled for all servers
- The public IP address of all servers was removed and all remote management access to the servers was configured to allow only trusted IP addresses
- End-point protection software with threat hunting capabilities was installed on all servers and computers within the Organisation
- A written data protection policy was developed and implemented to comply with the provisions of the Personal Data Protection Act 2012 (the “PDPA”).
In its representations to the PDPC, the Organisation admitted to having breached the Accountability Obligation under section 12 and the Protection Obligation under section 24 of the PDPA, and requested for the matter to be dealt with in accordance with the PDPC’s Expedited Decision Procedure.
First, the Organisation admitted it did not have a written data protection policy prior to the Incident. In this regard, it is important to reiterate that an organisation must document its data protection policies and practices in writing as they serve to increase awareness and ensure accountability of the organisation’s obligations under the PDPA. This requirement has been emphasized multiple times in previous decisions.
Second, the Organisation admitted that it did not configure its IPMI access settings correctly prior to the Incident. It enabled access to the IPMI from the public Internet when this was not necessary. According to the PDC in the monthly vulnerability scans carried out by the Organisation, it had omitted to scan the IPMI, and was not able to detect vulnerabilities in its IPMI, which were exploited to gain access to and upload the ransomware on the servers.
In the circumstances, the Organisation was found to have breached sections 12 and 24 of the PDPA.
After considering the factors listed at section 48J(6) of the PDPA and the circumstances of this case, including (i) the Organisation’s upfront voluntary admission of liability which significantly reduced the time and resources required for investigations; and (ii) the Organisation’s prompt remedial actions, the Organisation is given notice to pay a financial penalty of S$25,000.