Introduction

More organisations have shifted their operations online and have their staff work from home because of the COVID-19 pandemic. From a cybersecurity perspective, this broadens the potential attack surface by nefarious hackers through an increase in the number of devices used to facilitate business operations. The larger attack surface, coupled with more sophisticated methods adopted by hackers, increase the risk of organisations falling prey to ransomware – a type of malware used by hackers to encrypt and block access to the victim’s data until the demanded ransom is paid.

In some instances of ransomware attacks, there may not have been any exfiltration or removal of data from the organisation. However, even where there is no exfiltration of data, organisations may find themselves in breach of their protection obligation under Singapore’s Personal Data Protection Act (PDPA). This is a key learning point in the recent Personal Data Protection Commission decision of HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4.

Brief Facts

HMI Institute had collected personal data from its employees and the participants of its training courses. The personal data were stored in a file server which was protected by a firewall that blocked all connections to the server except those through a standard port used for the Remote Desktop Protocol (RDP Port). HMI Institute kept the RDP Port open to allow for quick remote access to the server for recovery and maintenance works.

On 4 December 2019, the server suffered a ransomware attack which encrypted the personal data of approximately 110,080 participants and 253 employees. Affected personal data included names, NRIC numbers and financial information.

An expert assessment concluded that the attacker had likely discovered the open RDP Port. Subsequently, the attacker used brute force attacks to obtain the administrator account password for the server, thereby gaining access to it.

Decision

HMI Institute was found to have breached its obligation to protect the personal data as it failed to make reasonable security arrangements to protect the personal data in the server from the risk of unauthorised access, modification and disposal for the following reasons:-

1. HMI Institute did not adequately regulate remote access to the server. It lacked sufficiently robust processes to ensure safe remote access to the server via the RDP Port, which it kept open permanently for more than four years.
2. HMI Institute failed to enforce proper password management policies. Whilst HMI Institute had adopted a password policy setting out guidelines which were consistent with the standards recommended by the PDPC, the policy was not complied with in practice.
3. HMI Institute allowed for the sharing of login credentials for the administrative account among several users despite that being the only access control.

Therefore, even though there was no exfiltration of personal data and all affected personal data were retrieved, HMI Institute had breached its obligation under section 24 of the PDPA. Having considered all the relevant factors of the case, the PDPC imposed a $35,000 financial penalty on HMI Institute.

Case comment

• Absence of data exfiltration does not necessarily mean that an organisation cannot be found in breach of the PDPA.

The PDPC would review and consider the security arrangements that an organisation has instituted on a holistic basis. These include assessing access management to servers (whether mission critical or otherwise), password management policies, or the extent of any other security measures that an organisation may have in place to protect the data (e.g. anti-hammering features).

• Regular review of IT security posture needed

In view of the evolving cybersecurity landscape, it is also important for organisations to regularly review their IT security posture. For example, all ports to servers that contain high volumes of personal data and/or highly sensitive personal data should be kept closed. If it is necessary to keep any ports open, then organisations should institute measures to ensure the security of any incoming RDP connection.

• Organisations must consider if the data breach is a notifiable breach even if no data seems to have been taken

Organisations should also note that they are subject to the mandatory data breach notification regime under the amended PDPA. Having suffered from a ransomware attack, an organisation must consider whether the ransomware attack falls within the scope of a notifiable data breach, even if it thinks that there has been no exfiltration of personal data. Organisations may still be in breach of the protection obligation for failing to institute reasonable security arrangements to address the risk of ransomware. When in doubt, organisations are advised to approach a professional.

Practical tips for the new normal

As work-from-home continues to be the default arrangement, organisations must be cognisant of the increasing risks associated with ransomware. Arising out of the new normal of work-from home arrangements, organisations would have to grapple with a broader attack surface with employees conducting work business from their home networks. For most organisations, this raises the tension between usability, cost, and cybersecurity when adopting ICT security measures.

In order to address the risk of ransomware in the new normal, and ensure that an organisation meets its regulatory obligations under the PDPA, we have set out some practical tips below:-

1. Technical measures: As the attack surface broadens, it is important for organisations to institute strong technical measures to mitigate the risk of ransomware. For example, organisations should regular review RDP connections, log reviews for unusual activities, require strong authentication methodologies, and implement defence-in-depth measures.
2. Organisational measures: Organisations should also ensure that it prepares a drawer plan or incident response management plan in the event that a ransomware occurs. The amended PDPA requires organisations to notify the PDPC within three calendar days once it has been determined that a data breach constitutes a notifiable data breach. Given that time is of the essence, it will serve an organisation well to prepare such documentation during “peacetime”.
3. People measures: The PDPC decisions regularly reveal that people are the weakest link in data protection matters. Therefore, it is very important that employees be given lessons on cyber hygiene. For example, employees should, where possible, keep their work and personal e-mail accounts and devices separate. Regular training should also be conducted to help employees identify phishing or nefarious e-mails. Employees should also verify e-mails from the purported senders, especially if they contain unusual instructions.