PDPC Undertaking by Hiap Seng Engineering Ltd

pHiap Seng Engineering Ltd the Organisation notified the Personal Data Protection Commission the Commission on 14 June 2024 of a data breach incident where its servers were infected by ransomware which encrypted files that contained personal data the IncidentppInvestigations revealed that a threat actor gained access to the Organisations network on 11 June 2024 via a firewall VPN device using a local administrator account credential obtained through exploiting vulnerabilities in the VPN device Passwords were found stored in the VPN devices configuration file and were encrypted using old encryption methods which the threat actor was likely able to decryptppThe Incident affected the personal data of 10000 individuals that included employees exemployees and contractor most of which were stored and encrypted by the Organisation in an onpremise payroll software Types of personal data affected included a combination of name address NRICFIN number date of birth photograph work permit number bank account details telephone number and passport numberppUpon discovery of the Incident the Organisation took prompt remedial actions including an update of all account passwords and firewall rules implementing geoblocking to allow VPN connectivity from local IP addresses only implementing twofactor authentication for all accounts on the network and procuring a new server with uptodate security featuresppHaving considered the circumstances of the case the Commission accepted a voluntary undertaking the Undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012 the PDPA The Undertaking was executed on 1 October 2024ppAs part of the Undertaking the Organisation will be implementing the followingppa Train employees on cybersecurity and data protection and raise awareness on best practices and PDPA obligationsppb Implement a software for active directory access managementppc Implement network segregation and offsite backupsppd Implement a disaster recovery plan andppe Conduct periodic vulnerability assessments and penetration testing for all systems network target vectorsppThe Commission will verify the Organisations compliance with the Undertaking If the Organisation fails to comply with any terms of the Undertaking the Commission may issue a direction so as to ensure the Organisations compliance with the UndertakingppShareppTo offer you a better experience this site uses cookies Read more about cookies in our Privacy Statementp