The Tripartite Alliance Limited (TAL), an organisation that oversees the Tripartite Alliance for Fair and Progressive Employment Practices (TAFEP), was fined $29,000 for data breach due to an incident of data hacked and accessed in 2020.
TAFEP handles clients’ employment system database as well as provides mediation and counsel in employment-related disputes.
Over 12,000 individuals and 8,000 companies are affected by this incident. Their data including all details of employment-related complaints and disputes and other personal data was accessed by hackers in 2020. Experts revealed that the data could be used in phishing email or dropping ransomware that would lock up digital files until a ransom payment is made.
In April 2021, the Personal Data Protection Commission (PDPC) made a decision to fine TAFEP for the data breach and stated that database that highly confidential information such as employment and personal information would be expected to have a high level of security to prevent any unauthorized access.
The PDPC further mentioned that TAL reported to the Commission about ransomware infection in its server hosting the client system database, TAFEP, on 3 March 2020. The system was unavailable on 17 February 2020 for three hours as the company tried to restore the system. The security logs subsequently showed that there were hacking attempts on the system database server between 7 and 14 February 2020.
TAL claimed that the organisation had been using security monitoring services for TAFEP clients’ system since June 2019 and had taken prompt actions in response to the incident. TAL also said that it had carried out investigation and monitored the system over the past year and found no sign of hackers stealing data. There was also no request for ransom payment since the incident. Nonetheless, the PDPC is of the view that the damage had been done because there was inadequate security arrangement for the data and that the data had not been encrypted which made it vulnerable to exposure.
After the incident, TAL took steps to prevent the entire system from infection and reset the passwords of all users in the system. The company reviewed and strengthened the management of all its third party IT-service providers and began to closely monitor the system on a weekly basis.