Law Society ordered to improve IT security after personal data of 16,000 members stolen in 2021 ransomware attack

SINGAPORE — The Law Society of Singapore (LawSoc) has been ordered to plug any information technology (IT) security gaps after a January 2021 ransomware attack on its servers risked leaking the personal data of 16,009 members.

In a judgement published on Thursday (May 11), the Personal Data Protection Commission (PDPC) said that the society had negligently breached Section 24 of the Personal Data Protection Act by using an easy-to-guess password.

The password “Welcome2020lawsoc” had been used for LawSoc's administrative account, which was compromised during the attack.

The society also did not change the account's password at "reasonable intervals" and failed to conduct periodic security reviews in the three years leading up to the incident, PDPC said. 

Members' names, residential addresses, dates of birth and national identity card numbers were obtained during the attack on Jan 27, 2021. 

However, there was no evidence that this data was misused in any event and it was not "of a higher sensitivity", such as financial or medical information, the commission added.

"Other data items were also affected but they are either in the nature of business contact information or publicly available information." 

PDPC directed the society to engage qualified security service providers to conduct a thorough security audit, provide the full report to it within 60 days, as well as rectify any security gaps identified. 

The culprit behind the attack had gained access to LawSoc's IT administrator account and used it to create a new one with full administrative privileges.

The person then installed malware on the society's servers, causing some files to be encrypted illegally.  

The attack was detected on the same day by malware detection software used by LawSoc and it took immediate steps to remove the new administrator account and restore servers to their original state, PDPC said. 

Investigations also revealed that there was a vulnerability in the virtual private network (VPN) system, developed by cybersecurity company Fortinet, which could be exploited to gain access to credentials if left unpatched. 

LawSoc had engaged Fortinet to provide IT support services.

PDPC found that the culprit could have obtained the credentials of the compromised account from a file posted in online forums around November 2020. 

The file had contained more than 45,000 session links and internet provider addresses for the VPN system of affected organisations, including LawSoc's. 

Without patching the VPN system, each session link would reveal its users' credentials including their passwords in plain text. 

However, given the technical nature of software patching and that the society had put in place a system to monitor Fortinet's activities, PDPC concluded that it was "reasonable" for the society to rely on Fortinet to perform the patching.

Thus, it concluded that LawSoc had not breached Section 24 of the Personal Data Protection Act in this aspect. 

In a press statement on Friday, LawSoc said that it will fully comply with PDPC's directions. 

It added that it has taken a number of steps to enhance its cybersecurity infrastructure in the two years since the incident, including implementing multi-factor authentication for all VPN access and strengthening its in-house IT team to deal with cybersecurity matters.