A recent decision of the Personal Data Protection Commission (“PDPC”) demonstrates the importance of compliance with data protection obligations.
On 3 December 2020, Giordano Originals (s) Pte Ltd (“Giordano”) reported to the PDPC of an illegitimate network access and ransomware virus of both the OS and server, which had taken place around 12 July 2020.
Due to the Incident, employees’ personal data and members’ personal data, were compromised. Employees’ personal data consisted of their names, IC numbers, address, gender, age, phone number, e-mail contact, qualifications and salary information. Members’ personal data consisted of their names, phone number and date of birth (without birth year). Giordano did not detect any dubious movements in the Singapore network, or any repercussions beyond the said network. The breach had probably taken place through use of information collected from phishing.
The PDPC found that Giordano already had taken precautionary measures before the Incident that were compatible with the PDPC’s Handbook containing recommendations on the protection against malware or phishing intrusions. Giordano had dispatched several security solutions, supplemented by live system controls for any suspicious activities from web traffic. Prior to the incident, Giordano had also carried out systematic system checks and updates.
Critically, Giordano had seen to it that its data was backed-up automatically and periodically, which was one important recommendation from the PDPC’s Handbook. Further, Giordano took additional measures to prevent breaches of personal data by encryption and adopting prevailing industry-standard RSA algorithm and passphrase. Accordingly, the personal data compromised by the ransomware could not be read without decryption. The PDPC stated that it approved the appropriate use of industry-standard encryption to prevent data breaches, which would go towards its consideration of an organisation’s compliance with its protection obligations; or at least as a persuasive mitigating consideration should the PDPC be of the view that a breach had taken place.
Post-incident, Giordano had swiftly responded with additional precautionary measures to alleviate the consequences of such data breaches. These included, amongst others, conducting training for staff to tackle phishing, security checks and further steps to supervise and control such data breaches. It was noted that there was no proof that any decryption of personal data had taken place. In addition, Giordano could completely reinstate or repopulate the personal data affected from its backup system(s).
The Deputy Commissioner for Personal Data Protection was convinced that Giordano had complied with its data protection obligations and accordingly, no additional enforcement measures were imposed on Giordano.