2 firms fined S$43,000 in total over personal data breaches affecting Mindef, SAF personnel

• The two firms were third-party vendors, the HMI Institute of Health Sciences and ST Logistics
• The affected data included names, NRIC numbers, addresses, email addresses and telephone numbers
• One incident affected 2,400 Mindef and SAF personnel, while the other affected 98,000 SAF servicemen

SINGAPORE — The HMI Institute of Health Sciences and ST Logistics have been fined S$35,000 and S$8,000 respectively, after two separate malware incidents in 2019 led to the breach of personal data of thousands of personnel from the Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF).

Both firms were third-party vendors. The affected data included names, National Registration Identity Card (NRIC) numbers, addresses, email addresses and telephone numbers.

There is no evidence that any of the data was ultimately leaked.

The Personal Data Protection Commission (PDPC), which levied the fines, released its written decisions on Thursday (June 10).

Organisations that violate the Personal Data Protection Act can currently face a financial penalty of up to S$1 million.

Under amendments to the Act that were passed in Parliament in November last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

This will take effect no earlier than Feb 1 next year, according to the PDPC’s advisory guidelines on enforcement of data protection provisions.

HMI INCIDENT

HMI Institute had discovered a file server to be encrypted by ransomware on Dec 4, 2019.

The institute was contracted by the SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training for Mindef and SAF personnel.

HMI Institute hired a cybersecurity company to investigate the incident, which found no evidence that the data was extracted from the server.

The ransomware encrypted and denied access to various files, including those that contained the personal data of about 110,080 people who participated in HMI Institute’s training courses and 253 employees.

Among the affected individuals were 98,000 SAF servicemen who attended the courses. They had only their names and NRIC numbers stored on the server.

HMI Institute owned the server but it was maintained by its appointed IT solution service provider.

The PDPC said in its judgement that HMI Institute’s failure to implement reasonable security measures put the personal data at risk for more than four years — from the time the server was set up in 2014 till it was disconnected from the internet after the incident.

It had also failed to implement proper password management policies.

Nevertheless, the PDPC noted as mitigating factors that HMI Institute took prompt remedial actions.

This included decommissioning the server without paying the ransom, notifying all the affected individuals it could — about 95 per cent — and implementing steps to prevent the incident from happening again.

ST LOGISTICS INCIDENT

In ST Logistics’ case, some of its employees fell for a phishing attack involving malicious malware sent to their email accounts in October 2019.

This led to the breach of personal data of 2,400 Mindef and SAF personnel, all of whom were notified by Mindef through text messages by late December 2019.

ST Logistics was contracted to provide logistics services such as eMart retail and equipping services for Mindef and SAF personnel.

ST Logistics raised some factors in arguing for a reduced financial penalty, such as a low risk of harm arising from the incident as the data was limited to email addresses, and no evidence that any of the data was leaked.

The PDPC said that in deciding to reduce the fine, it had “carefully considered the representations” and taken into account ST Logistics’ co-operation and prompt responses to the commission’s queries.

The PDPC did not state in its judgement what the original financial penalty would have been.

Its investigations revealed that ST Logistics had failed to conduct periodic security reviews to detect vulnerabilities in its IT systems.

This meant that the anti-virus software installed on employees’ laptops, which could have blocked and removed the malicious malware, was not updated. The laptops had not been properly configured to receive updates.

Some of the affected employees also did not have an advanced endpoint protection solution software, which detects newly released forms of malware, installed on their laptops.

Last year, the Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore in 2019, almost triple the number of cases in 2018.