Two Companies Have to Pay $43,000 Over Private Information Breaches Impacting SAF and Mindef Employees
Nothing Indicates that Any of the Affected Data Was Eventually Disclosed.
Following two different malware attacks that occurred in 2019 causing the breach of sensitive information of 2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) employees, two companies have been fined $43,000 in total.
ST Logistics and the HMI Institute of Health Sciences, third-party vendors, have to pay $35,000 and S$8,000 respectively.
The data breach happened at a privately-owned vendor of SAF and Mindef, ST Logistics, which was hired to provide third-party logistics and equipping services for the SAF.
According to Mindef, the breached information included the e-mail addresses or residential addresses, full names and National Registration Identity Card (NRIC) numbers, and telephone numbers.
The Personal Data Protection Commission (PDPC), which imposed the fines, made its written decisions public last Thursday.
Companies contravening the Personal Data Protection Act can currently face a financial sanction of up to S$1 million.
Under amendments to the Act that were passed in Parliament in November last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
This will take effect no earlier than Feb 1 next year, according to the PDPC’s advisory guidelines on the enforcement of data protection provisions.
The HMI Institute of Health Sciences Data Breach
HMI came across a file server to be encrypted by ransomware at the end of 2019 and hired cybersecurity experts to look into the attack, which found no proof that the data was extracted from the server.
The ransomware encrypted and refused to grant access to various files, including those that contained the private information of about 110,080 individuals who took part in HMI Institute’s training classes and 253 members of staff.
98,000 of the impacted people who participated in HMI Institute’s training courses were SAF servicemen. Fortunately, they had only their names and NRIC numbers saved on the server.
As stated by the Personal Data Protection Commission, HMI has been unsuccessful in implementing adequate security measures and put the sensitive information at risk for four years, starting with the server set up in 2014 until it was disconnected from the network following the cyberattack.
The PDPC added that the Institute took rapid reparative measures, including decommissioning the server without paying the requested ransom, alerting all those impacted, and implementing actions to avert this kind of attack from happening again in the future.
The ST Logistics Data Breach
Regarding the ST Logistics incident, a few of its workers fell victims to a phishing attack that involved malware sent to their email accounts in October 2019. The attack caused a data breach that affected 2,400 Mindef and SAF employees.
All the impacted individuals have been informed by Mindef of the cyberattack via SMS by late December 2019.
According to the company’s LinkedIn profile, ST Logistics is a Singapore-based company with more than 45 years of experience providing Supply Chain Management and Integrated Logistics Solutions to the Defence, Government, and Healthcare sectors.
The company has been hired to provide logistics services and equipping services for Mindef and SAF personnel.
In order to have its financial penalty reduced, the company stated that the risk of damage following the attack was low as the data was limited to email addresses, and nothing indicates that any of this data was leaked.
The PDPC decided to reduce the financial penalty but didn’t say what the original fine would have been.
The PDPC said that in deciding to reduce the fine, it had carefully considered the representations and taken into account ST Logistics’ co-operation and prompt responses to the commission’s queries.
According to the commission’s investigations, ST Logistics had failed to organize periodic security reviews to discover flaws in its IT systems meaning that the anti-virus software installed on employees’ machines was not updated.
Some of the impacted employees did not have an advanced endpoint protection solution software, which detects newly released forms of malware, installed on their devices.
When it comes to adequate endpoint protection solutions, we recommend our Heimdal™ Threat Prevention, available for both Home and Enterprise users.
Heimdal™ Threat Prevention is a proactive cybersecurity solution, engineered to offer protection against even the most advanced malware, such as financial and data-stealing malware. What it does is both filter cyber threats before they reach your system as well as automate patch management to close all security holes in a computer system.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;