Organisation that oversees Tafep fined $29,000 after data of 20,000 people hacked

The hacked data includes names, identification numbers and contact numbers, among others. ST PHOTO: KELVIN CHNG

SINGAPORE - The Tripartite Alliance Limited (TAL), an organisation that oversees the Tripartite Alliance for Fair and Progressive Employment Practices (Tafep) and handles employment disputes, has been fined $29,000 after the data of about 20,000 people was accessed by hackers last year.

The Personal Data Protection Commission (PDPC) said in a recent decision that TAL had failed to put in place "reasonable security arrangements" to prevent the unauthorised access of the data in its customer relationship system database.

Hacked data included names, identification numbers, contact numbers, e-mail addresses, age, race, marital status, salaries and compensation amounts.

Business contact details from company representatives, such as an individual's name, business telephone number or business e-mail address, were affected too.

These records of about 12,000 individuals and 8,000 companies, including company representatives, were provided to Tafep on Feb 14 last year or earlier.

Cyber-security experts have said in the past that such information could be used by cyber criminals to send victims personalised phishing e-mails, allowing them to steal passwords or drop ransomware which locks up digital files until the crooks get paid.

TAL said in a statement that it has been investigating and monitoring the incident in the past year, and there is no evidence hackers had stolen the data.

But the PDPC also noted that the data was not encrypted, which made it vulnerable to exposure.

The commission fined TAL $29,000 based partly on the high number of affected people - 20,000 - and the nature of the compromised data.

"The database contained details of employment-related complaints and disputes," said PDPC. "Individuals would expect a high level of confidence when they convey such matters to the organisation."

But in mitigation, it noted there was no evidence of data theft, and that TAL was upfront and took "prompt remedial actions".

TAL was set up in 2016 by the tripartite partners - the Ministry of Manpower, National Trades Union Congress and Singapore National Employers Federation.

The organisation promotes fair and progressive employment practices, as well as provides mediation and advice in employment-related disputes.

PDPC said in an April 15 decision that TAL informed the commission on March 3 last year that a server hosting its customer relationship management system was infected with ransomware. TAL said Tafep's system was infected on Feb 14 last year.

TAL uses the system to handle employment-related inquiries, feedback and complaints.

The system was not available to users on Feb 17 but its vendor managed to restore it using a backup within three hours.

Investigations later found that the system was hit by a ransomware attack. But TAL said it has yet to receive any ransom payment demands from the perpetrators.

Security logs showed that hacking attempts were made on the system's database server between Feb 7 and 14 last year.

TAL claimed that since June 2019, it had included security monitoring services for the customer relationship management system, such as blocking cyber attacks based on alerts.

"However, there was inadequate process put in place to ensure that the (system's) vendor proactively monitored the alerts and took actions to block malicious activities in a timely manner," said PDPC.

After the incident, TAL said it took steps to prevent the rest of the customer relationship management system from being infected and reset the passwords of all user accounts in the system.

The organisation began to closely monitor the system vendor's information technology (IT) services support weekly, to ensure timely patch updates and follow-ups on security alerts.

TAL also did a review to strengthen its management of all its third-party IT service providers, such as requesting them to conduct cyber-security audits, vulnerability assessment and penetration testing for the organisation's existing IT systems.

It has also decommissioned the affected customer relationship management system.

"We would like to assure companies and individuals that we are committed to ensure the safety and security of our customers' personal data," said TAL.

Anyone who has queries about the incident, or suspects his information has been misused by hackers, can contact Tafep at this website.

Join ST's Telegram channel and get the latest breaking news delivered to you.