A recent decision highlights the need to implement reasonable security measures in database servers to safeguard against personal data breaches.
On 11 March 2021, Trinity Christian Centre (the “Organisation”) reported a data breach involving ransomware to the Personal Data Protection Commission (“PDPC”). The Organisation sought to expedite proceedings, readily acknowledging the facts and admitting to its breach of section 24 of the Personal Data Protection Act 2012 (the “Act”, as revised).
The data breach compromised the data of 72,285 people, including personal particulars, contact details, qualifications and medical status. The Organisation discovered that its easily accessible, transparent remote desktop portal enabled access to certain administrator accounts, and in turn, the Organisation’s network and database, resulting in a ransomware hijack that prevented access to databases. The Organisation reinstated the databases that were compromised, but had not been removed, from its back-up system.
The Organisation acknowledged that (i) it could have put distinct access measures in place (different logins) to safeguard the databases; and (ii) the unlawful access to its network was via an administrator account that had been given to an IT vendor. The Organisation understood that it did not impose or set out the data protection measures for the vendor.
The Organisation informed its church members of the data breach and replaced login details and administrator passwords, removed open portals, and confined login ability to servers and work desks. In addition, a comprehensive security check was carried out and live threat screening as well as reaction measures were implemented.
The PDPC found that with innovative phishing activities, it was important to take the additional step of safeguarding the integrity of backend databases. Further, the PDPC referred to its Guide to Managing Data Intermediaries, which states that organisations that hire IT vendors should expressly set out the need or obligation to safeguard personal data in the contract for service (as opposed to just a general confidentiality clause).
The PDPC weighed up the aggravating factors (large number of persons affected, including children), and the type of personal data that was compromised (including medical status) with the mitigating factors (including the Organisation’s ready admission and swift response to the data breach) to determine the appropriate sanction. Accordingly, a fine of $20,000 was imposed.