Various companies have been fined a total of $75,000 for violations and lapses that have affected the personal information of more than 630,000 people, including their names, contact numbers, and, in a few cases, financial data.
This included the data of 98,000 Singapore Armed Forces (SAF) and Ministry of Defence (Mindef) staff service members exposed during a breach in 2019 because of a well-known vulnerability purposely left unattended for more than four years by healthcare training providers the HMI Institute of Health Sciences.
HMI was fined $35,000 for this incident, according to a judgment issued by the Personal Data Protection Commission (PDPC).
The incident affected the personal information of more than 110,000 people in total, including 250 employees of HMI.
Hackers had access to some HMI staff, their salary details, Central Provident Fund information, and bank account numbers, who used ransomware to lock up the data unless money was paid to them.
HMI did not pay the ransom.
PDPC also found other lapses, including using a simple password shared between HMI’s IT administrator and at least three of its information technology solutions provider.
There was also no two-factor authentication or any other measures to protect the account further.
The personal data which was affected was recovered as it was mostly in backup files. There were no specific pieces of evidence that the data was leaked.
Including HMI, PDPC also fined three other companies in the recent past.
E-commerce solutions and Web design firm Webcada was imposed an amount of $25,000 for a ransomware attack the previous year, affecting the personal data of 520,000 people who were customers of online shopping websites designed for customers. The information included names and order histories.
The ransomware was uploaded into the firm’s servers through tools used for remotely managing servers. They did not pay the ransom.
There was no evidence of the data being stolen, and the data was retrieved from backups.
- $35 thousand
- The fine imposed on healthcare training provider HMI Institute of Health Sciences for the 2019 ransomware attack affecting more than 110,000 people.
- $8 thousand
- Fine imposed on ST Logistics, who provide logistic services to the Government and the defence and commercial sectors, for an incident in 2019 affecting 2,400 Mindef and SAF personnel.
- $25 thousand
- The amount imposed on Web design and e-commerce solutions firm Webcada for a ransomware attack last year involving 520,000 people.
- $7 thousand
- Nuances forced on technology consulting and digital solutions firm Larsen & Toubro Infotech’s branch in Singapore for lapses between 2016 and last year, affecting thirteen past job candidates.
ST Logistics, which provides logistic services to the Government and the defence and commercial sectors, was fined $8,000 for an incident in 2019 where hackers could have accessed the personal data of 2,400 Mindef and SAF personnel.
It happened after some of the organization’s laptops were infected with malware from e-mails.
Finally, tech consulting and digital solutions company Larsen & Toubro Infotech’s Singapore branch was fined $7,000 after data from the 13 past job applicants’ forms were disclosed by ten staff members to 74 other applicants via e-mails from 2016 till the last year. The information included salary information and any criminal records.
The training provider decommissioned the server for the HMI incident and alerted most affected people after it learned of the attack. The company also took measures like adopting a password management policy and permanently blocking remote IT support procedures.
HMI had alerted PDPC on the 7th of Dec, 2019, of the ransomware attack on their file server three days earlier.
Among the locked-up files were those with the personal data of participants of the company’s courses and its employees. Most of the individual data files were password-protected.
According to past reports, there were 110,000 affected participants, out of which0 about 98,000 of them were SAF servicemen who took part in cardiopulmonary resuscitation and automated external defibrillation courses.
In 2019, it was reported that HMI was providing Mindef staff and soldiers with such training for the past three years.
PDPC stated that the bulk of the affected participants had only their names and NRIC numbers stored on the file server that was involved. But some of them even had other details on it.
The ransomware got into the server as the firm allowed a well-known port for remote access to be open so that it is IT merchants could access it to manage the server.
There was a single administrator account to access the server, which could be done through the open port.
The log-in details were shared between HMI and the vendor, which according to PDPC, should generally not happen.
The account’s password did not meet recommended rules to make it complex, stated PDPC.
This infiltrated passwords for files containing personal data too.
Another issue: All HMI’s passwords had an acronym for the firm’s name, which PDPC said made them easy to guess.
Sure enough, a cyber-security company engaged by HMI found that the hackers likely discovered the open port in the server after a random search for vulnerabilities. They possibly then used brute force to crack the account password and access the server.
For Latest IT Industry News
Follow us on Google News and Twitter