Firms fined $75k for personal data lapses affecting 630,000 people

Those hit included 98,000 Mindef staff, SAF servicemen whose data was exposed in 2019

Several companies have been fined a total of $75,000 for breaches and lapses that affected the personal data of more than 630,000 people, including their names, contact numbers and, in some cases, financial information.

This included the data of 98,000 Ministry of Defence (Mindef) staff and Singapore Armed Forces (SAF) servicemen exposed during a breach in 2019 due to a well-known vulnerability knowingly left open for more than four years by healthcare training provider HMI Institute of Health Sciences.

HMI was fined $35,000 for the incident, according to a judgment issued by the Personal Data Protection Commission (PDPC) last Thursday.

The incident affected the data of more than 110,000 people in total, including 250 HMI employees.

Some HMI staff had their salary details, Central Provident Fund information and bank account numbers accessed by hackers, who used ransomware to lock up the data unless money was paid to them.

HMI did not pay the ransom.

PDPC also found other lapses, including the use of a simple password shared between HMI's IT administrator and at least three employees of its information technology solutions provider.

There was also no two-factor authentication or other measures to further protect the account.

The personal data affected was recovered as it was mostly in back-up files. There was no evidence that the data was stolen.

Besides HMI, PDPC also fined three other companies recently.

Web design and e-commerce solutions firm Webcada was fined $25,000 for a ransomware attack last year affecting the personal data of 520,000 people, who were customers of online shopping websites that it designed for clients. The data included names and order histories.

The ransomware was uploaded to the firm's servers through tools for remotely managing servers. The ransom was not paid.

There was no evidence of data being stolen, and the affected data was restored from back-ups.

  • $35k

    Fine imposed on healthcare training provider HMI Institute of Health Sciences for 2019 ransomware attack affecting more than 110,000 people.

    $8k

    Fine imposed on ST Logistics, which provides logistic services to the Government as well as the defence and commercial sectors, for a 2019 incident affecting 2,400 Mindef and SAF personnel.

    $25k

    Fine imposed on Web design and e-commerce solutions firm Webcada, for a ransomware attack last year affecting 520,000 people.

    $7k

    Fine imposed on technology consulting and digital solutions company Larsen & Toubro Infotech's Singapore branch for lapses between 2016 and last year affecting 13 past job applicants.

ST Logistics, which provides logistic services to the Government as well as the defence and commercial sectors, was fined $8,000 for a 2019 incident in which the personal data of 2,400 Mindef and SAF personnel could have been accessed by hackers.

It happened after some of the organisation's laptops were infected with malware from e-mails.

Finally, technology consulting and digital solutions company Larsen & Toubro Infotech's Singapore branch was fined $7,000 after data from 13 past job applicants' forms was disclosed by 10 staff to 74 other job applicants via e-mails from 2016 to last year. The data included salary information and any criminal records.

For the HMI incident, the training provider decommissioned the server and alerted most of the affected people after it learnt of the attack. The company also took steps like adopting a password management policy and permanently blocking remote access for IT support procedures.

HMI had alerted PDPC on Dec 7, 2019 of the ransomware attack on its file server three days earlier.

Among the files locked up were those with the personal data of participants of the company's courses, as well as its employees. Most of the personal data files were password-protected.

There were 110,000 affected participants, of whom about 98,000 were SAF servicemen who attended cardiopulmonary resuscitation and automated external defibrillation courses, going by past reports.

In 2019, it was reported that HMI had been providing Mindef staff and soldiers with such training since 2016.

PDPC said the bulk of the affected participants had only their names and NRIC numbers stored on the file server that was hit. But some had other details like their employment histories on it.

The ransomware got into the server as HMI allowed a well-known port for remote access to be left open so its IT vendor could access it to manage the server.

There was one administrator account to access the server, which could be done via the open port.

The account log-in details were shared between HMI and the vendor, which PDPC said should generally not be done.

The account's password also did not meet recommended rules to make it complex, said PDPC.

This affected passwords for files containing personal data too.

Another issue: HMI's passwords had an acronym of the firm's name in them, which PDPC said made them easy to guess.

Sure enough, a cyber-security company engaged by HMI found that the hackers likely discovered the open port in the server after a random search for vulnerabilities. They possibly then used brute force to crack the account password and access the server.

A version of this article appeared in the print edition of The Straits Times on June 15, 2021, with the headline 'Firms fined $75k for personal data lapses affecting 630,000 people'. Subscribe