More organisations have shifted their operations online and have their staff work from home because of the COVID-19 pandemic. From a cybersecurity perspective, this broadens the potential attack surface by nefarious hackers through an increase in the number of devices used to facilitate business operations. The larger attack surface, coupled with more sophisticated methods adopted by hackers, increase the risk of organisations falling prey to ransomware – a type of malware used by hackers to encrypt and block access to the victim’s data until the demanded ransom is paid.
In some instances of ransomware attacks, there may not have been any exfiltration or removal of data from the organisation. However, even where there is no exfiltration of data, organisations may find themselves in breach of their protection obligation under Singapore’s Personal Data Protection Act (PDPA). This is a key learning point in the recent Personal Data Protection Commission decision of HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4.
HMI Institute had collected personal data from its employees and the participants of its training courses. The personal data were stored in a file server which was protected by a firewall that blocked all connections to the server except those through a standard port used for the Remote Desktop Protocol (RDP Port). HMI Institute kept the RDP Port open to allow for quick remote access to the server for recovery and maintenance works.
On 4 December 2019, the server suffered a ransomware attack which encrypted the personal data of approximately 110,080 participants and 253 employees. Affected personal data included names, NRIC numbers and financial information.
An expert assessment concluded that the attacker had likely discovered the open RDP Port. Subsequently, the attacker used brute force attacks to obtain the administrator account password for the server, thereby gaining access to it.
HMI Institute was found to have breached its obligation to protect the personal data as it failed to make reasonable security arrangements to protect the personal data in the server from the risk of unauthorised access, modification and disposal for the following reasons:-
Therefore, even though there was no exfiltration of personal data and all affected personal data were retrieved, HMI Institute had breached its obligation under section 24 of the PDPA. Having considered all the relevant factors of the case, the PDPC imposed a $35,000 financial penalty on HMI Institute.
The PDPC would review and consider the security arrangements that an organisation has instituted on a holistic basis. These include assessing access management to servers (whether mission critical or otherwise), password management policies, or the extent of any other security measures that an organisation may have in place to protect the data (e.g. anti-hammering features).
In view of the evolving cybersecurity landscape, it is also important for organisations to regularly review their IT security posture. For example, all ports to servers that contain high volumes of personal data and/or highly sensitive personal data should be kept closed. If it is necessary to keep any ports open, then organisations should institute measures to ensure the security of any incoming RDP connection.
Organisations should also note that they are subject to the mandatory data breach notification regime under the amended PDPA. Having suffered from a ransomware attack, an organisation must consider whether the ransomware attack falls within the scope of a notifiable data breach, even if it thinks that there has been no exfiltration of personal data. Organisations may still be in breach of the protection obligation for failing to institute reasonable security arrangements to address the risk of ransomware. When in doubt, organisations are advised to approach a professional.
As work-from-home continues to be the default arrangement, organisations must be cognisant of the increasing risks associated with ransomware. Arising out of the new normal of work-from home arrangements, organisations would have to grapple with a broader attack surface with employees conducting work business from their home networks. For most organisations, this raises the tension between usability, cost, and cybersecurity when adopting ICT security measures.
In order to address the risk of ransomware in the new normal, and ensure that an organisation meets its regulatory obligations under the PDPA, we have set out some practical tips below:-
heading