The Personal Data Protection Commission of Singapore announced a new undertaking this week. The incident that led to the investigation was a ransomware attack on a medical entity, and findings included that the entity had left RDP open and had weak login credentials, among other concerns. The undertaking was to get them to harden their security; no monetary penalty was involved.
Background
The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data.
It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords.
Remedial Actions
After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant.
Undertaking
The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”).
The Undertaking provides that StarMed was to:
(a) review password policies relating to StarMed’s servers and IT equipment storing personal data;
(b) review process of login authentication on StarMed’s servers and IT equipment storing personal data;
(c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts;
(d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan;
(e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and
(f) provide a status report to the Commission at a time requested by the Commission confirming whether StarMed has fulfilled each of the specific measures set out in the implementation plan.StarMed has since provided the Commission with the status report referred to at para 5(f) above. The Commission has reviewed the matter and determined that StarMed has complied with the terms of the Undertaking.
Please click here to view the Undertaking.
Source: Personal Data Protection Commission of Singapore