Singapore firms fined $75,000 for personal data lapses affecting over 600,000 people

Hackers had used ransomware to lock up the data unless money was paid to them.
Hackers had used ransomware to lock up the data unless money was paid to them.PHOTO: ST FILE

SINGAPORE - Several companies have been fined a total of $75,000 for breaches and lapses that have affected more than 600,000 people's personal data, including their names and contact numbers, and, in some cases, financial information.

This included the data of 98,000 Ministry of Defence staff and Singapore Armed Forces servicemen exposed during a breach in 2019 due to a well-known vulnerability that was knowingly left open for more than four years by healthcare training provider HMI Institute of Health Sciences.

HMI was fined $35,000 for the incident, according to a judgment issued by the Personal Data Protection Commission (PDPC) last Thursday (June 10).

The incident affected the data of more than 110,000 people in total, including 250 HMI employees.

Some HMI staff had their salary details, Central Provident Fund information and bank account numbers affected.

Hackers had used ransomware to lock up the data unless money was paid to them. HMI did not pay the ransom. 

PDPC also uncovered other data protection lapses, including the use of a single, simple password shared between HMI’s IT administrator and at least three other employees of its information technology solution service provider. 

There was also no two-factor authentication or other measures to further protect the account from unauthorised log-ins.

The personal data affected was recovered as it was mostly in back-ups files. There was no evidence the data was stolen too.

Besides HMI, PDPC also fined three other companies recently.

Web design and e-commerce solutions firm Webcada was fined $25,000 for a ransomware attack last year affecting the personal data of 520,000 people, who were customers of online shopping websites that the company designed for its clients.

The affected personal data comprised their names, phone numbers, dates of birth, addresses and order histories.

The ransomware had been uploaded to the company's database servers through tools used for remotely monitoring and managing servers. The ransom was not paid.

There was no evidence of data being stolen and the affected data was restored from back-ups.

ST Logistics, which provides logistical services to the Government as well as the defence and commercial sectors, was fined $8,000 for a 2019 incident in which the personal data of 2,400 Mindef and SAF staff could have been accessed by hackers.

It happened after some of the organisation's laptops were infected with malware from e-mails sent to the company.

Finally, technology consulting and digital solutions company Larsen and Toubro Infotech's Singapore branch was fined $7,000 after the data from 13 past job applicants' forms was disclosed by 10 company employees to 74 other job applicants through e-mails from 2016 to 2020.

The data included salary information, past employment history, medical health status and any criminal records.

For the HMI incident, the training provider decommissioned the server and delinked it from its network and the Internet after it learnt of the attack.

It alerted most of the affected people it was able to, as well as the authorities.

The training company adopted an internal password management policy and permanently blocked remote access for IT support procedures. For devices with personal data, it also delinked them from the Internet.

HMI had alerted PDPC on Dec 7, 2019, of the ransomware attack on its file server three days earlier.

Among the files locked up were those with the personal data of participants of the company’s courses, as well as its employees. Most of the personal data files, but not all, were password-protected.

There were 110,000 affected participants, of whom about 98,000 were SAF servicemen who attended cardiopulmonary resuscitation and automated external defibrillation courses, going by past reports. 

In 2019, it was reported that HMI had been providing Mindef staff and soldiers with such training since 2016.

PDPC said the bulk of the affected participants only had their names and NRIC numbers stored on the file server that was hit. But some would also have other details on it like their employment histories, dates of birth, contact numbers and e-mail addresses.

The ransomware got into the server as HMI allowed a well-known port for remote access to be left open so that its IT solution provider could access it without being physically present to manage the server and troubleshoot issues.

There was only one administrator account to access the server, which could be done through the open port. 

The account log-in details were shared between HMI and the IT vendor, which PDPC said should generally not be done. Although this did not play a role in the attack, the commission cited how it “created an additional risk factor”.

The account’s password also did not meet recommended rules to make it complex, said PDPC. In general, a complex password should have at least eight characters, containing at least one alphabetical letter and one number.

This affected passwords used to secure the files containing personal data too.

Another problem: HMI’s passwords had an acronym of the organisation’s name in them, which PDPC said made them easy to guess and vulnerable to brute-force attacks. In such attacks, hackers guess a password by testing a large number of different password combinations, usually with software.

Sure enough, a cyber-security company engaged by HMI found that the hackers likely discovered the open port in the server after a random search for vulnerabilities. They likely then used brute force to crack the administrator account password.

With the details, the hackers could then access the server through the open port and run the ransomware.

“The organisation’s failure to put in place reasonable security measures put the personal data in (its) possession and/or control at risk of exposure for more than four years,” said the commission.