Keppel Telecommunications and Transportation, Academy of Medicine S’pore fined for data leaks

Keppel Telecommunications & Transportation (KTT) has been fined $120,000 after it failed to delete personal data from a server of a business it sold in 2022, which was then hacked.

The Personal Data Protection Commission (PDPC) said in a decision, published online on Aug 2, that the personal data, which belonged to about 22,659 people, was at risk of being accessed without permission and being leaked.

The affected people included employees and former employees of KTT and its subsidiaries, KTT’s shareholders when it was listed on the Singapore Exchange, and those who had business or commercial dealings with the company.

Evidence of the data leak emerged when a ransomware group published nine encrypted files on the Dark Web, along with what it claimed to be a list detailing the encrypted files’ contents. This was linked to up to 7,184 individuals’ personal data stored in the affected server.

However, KTT was unable to confirm whether the encrypted files contained all the personal data stored in the affected server, the PDPC noted.

The signatures, images of identification cards and bank account numbers of some people were in the leaked data.

The PDPC said this exposed certain people to greater risks of identity theft or financial losses.

Investigations revealed that an unknown entity had infiltrated the affected server on Sept 5, 2022, through a compromised account of a vendor for the server’s owner, Geodis Logistics Singapore (GLS), which had been divested from KTT some two months prior.

The PDPC revealed that KTT had failed to delete the personal data from the affected server after migrating the data to cloud-based storage in 2020, and before it sold the business in 2022.

In deciding whether KTT should be fined, the commission said it recognised that the company took prompt actions to lessen the impact of the incident, and to prevent its recurrence.

KTT was also cooperative in PDPC’s investigations, and admitted to the facts of the decision and the company’s contraventions, the commission said.

However, PDPC noted that KTT’s data protection processes had “systemic shortcomings”, citing the company’s “long period of non-compliance” that amounted to more than two years, among other things. The commission also considered factors such as the potential impact on people whose data was compromised, and KTT’s turnover, in deciding on the amount of the financial penalty.

In 2022, KTT told The Straits Times that the breach did not involve or affect any of its existing IT systems or infrastructure.

Separately, the Academy of Medicine Singapore was fined $9,000 for a data breach that resulted in personal data being posted on the Dark Web. The academy is a professional institution providing postgraduate medical education and specialist training here.

In a decision released on Aug 2, the PDPC said personal data from the academy had been uploaded on the Dark Web, including credit card information of over 1,000 people.

It noted that bank account details and credit card numbers with security codes and expiry dates had been stored in clear text without password protection or encryption.

The academy informed the PDPC that leaked data affected 6,574 current and former members, participants of events, activities or in-training examinations that it organised or administered, and they were affected to different extents.

It first discovered malware in its servers on July 13, 2023.

The hacker had accessed six servers and a staff computer, before deploying malicious tools that could harvest credentials within folders and disarm antivirus and threat detection software, said the PDPC.

Apart from data leaked on the Dark Web, a total of 4.4 terabytes worth of files in the academy’s servers were encrypted because of ransomware.

In September 2023, ST reported that the leaked data was uploaded by a Russian-based ransomware gang, which is one of the most notorious groups in the cyber-criminal space.

The investigation revealed several lapses by the academy, including the fact that its firewall software had not been patched for about two years before the breach, leaving it vulnerable to cyber attacks.

In deciding the financial penalty, the PDPC considered various mitigating factors, such as the academy’s voluntary admission that it had breached its obligation to protect personal data by making reasonable security arrangements.

In addition to the fine, the PDPC directed the academy to report its completion of remedial actions, which includes deleting any card security codes that it has stored.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Keppel Telecommunications & Transportation Ltd [2024] SGPDPC 3

Academy of Medicine Singapore [2024] SGPDPCS 4

Hatten Land files application for judicial management; trading in shares suspended Eateries and charities can soon donate unsold food without worry if safety rules are met