CH Offshore Ltd. [2024] SGPDPC 2

Case Details

• Citation: [2024] SGPDPC 2
• Court: Personal Data Protection Commission
• Date: 2024-04-17
• Judges: Wong Huiwen Denise, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: CH Offshore Ltd.
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Incident and gave the Threat Act, Personal Data Protection Act, Personal Data Protection Act 2012, Personal Data Protection Act
• Cases Cited: [2024] SGPDPC 2
• Judgment Length: 18 pages, 3,191 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that CH Offshore Ltd. (the "Organisation") had breached its data protection obligations under the Personal Data Protection Act 2012 (PDPA). The Organisation had failed to implement reasonable security arrangements to prevent unauthorised access and disclosure of personal data in its possession, leading to a ransomware attack that compromised the personal data of over 5,900 individuals.

The PDPC determined that the Organisation's lack of proper network segmentation, access controls, and periodic security reviews contributed to the security lapses that allowed the threat actor to gain access to the Organisation's systems and exfiltrate sensitive personal data. The PDPC ordered the Organisation to take various remedial actions to strengthen its data protection practices and prevent similar incidents in the future.

This case highlights the importance for organisations to maintain robust cybersecurity measures and conduct regular security assessments to fulfil their data protection obligations under the PDPA. It also underscores the need for organisations to exercise proper oversight over their IT vendors and ensure that security responsibilities are clearly defined and executed.

What Were the Facts of This Case?

CH Offshore Ltd. is an owner-operator and ship manager of offshore support vessels for the offshore marine oil and gas sector. On 3 April 2023, the Organisation filed a Data Breach Notification with the PDPC regarding a ransomware attack on its servers on or about 28 March 2023. The attack led to a loss of access to the Organisation's shared drives and the encryption of files containing personal data.

Investigations revealed that the files had been encrypted by a ransomware-as-a-service threat known as "Alpha aka Blackcat". The investigation found suspicious virtual private network (VPN) connections, suggesting that the threat actor likely gained access to the Organisation's network using two VPN accounts belonging to an employee and its outsourced IT vendor.

The PDPC's investigation uncovered several security lapses that could have contributed to the incident, including: (1) the Organisation's firewall had not been patched since December 2021 and was exposed to multiple vulnerabilities; (2) the Organisation had a high-risk IT infrastructure without proper network segmentation and access controls; (3) remote desktop protocol was enabled on all servers without proper firewall rules; (4) multi-factor authentication was not implemented for remote access VPNs; and (5) employees were given local administrator rights on their laptops, enabling the threat actor to disable the endpoint security software.

The personal data compromised in the incident included sensitive information such as names, addresses, NRIC numbers, passport numbers, health records, and financial details of 5,906 employees, ex-employees, next-of-kin, board directors, and stakeholders.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its data protection obligations under section 24 of the Personal Data Protection Act 2012 (PDPA). Section 24(a) of the PDPA requires organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks".

The PDPC had to determine whether the Organisation had failed to implement reasonable security arrangements to protect the personal data in its possession, leading to the unauthorised access and disclosure of such data during the ransomware attack.

How Did the Court Analyse the Issues?

The PDPC found that the Organisation had breached its data protection obligations under section 24 of the PDPA. The PDPC noted that the Organisation had admitted to the facts and its breach of the PDPA, as it had voluntarily provided the information and unequivocally admitted to the facts under the PDPC's Expedited Breach Decision Procedure.

The PDPC highlighted several key security lapses that contributed to the Organisation's failure to make reasonable security arrangements to protect the personal data in its possession:

1. Outdated firewall firmware: The Organisation's firewall had not been patched since December 2021 and was exposed to multiple vulnerabilities, which the Organisation could have addressed through a proper patch management process.

2. Inadequate network segmentation and access controls: The Organisation's IT infrastructure lacked proper network segmentation and access control measures, allowing unrestricted access within the network and increasing the risk of unauthorised access to personal data.

3. Lack of multi-factor authentication: The Organisation did not implement multi-factor authentication for remote access VPNs, including for user accounts with high-level system access, which could have prevented the threat actor from gaining access using the compromised VPN credentials.

4. Failure to conduct periodic security reviews: The PDPC found that the Organisation had failed to conduct reasonable periodic security reviews, which would have allowed it to detect and address the various security issues that contributed to the incident.

The PDPC acknowledged that the Organisation had outsourced its IT maintenance to a vendor, but held that the Organisation remained responsible for ensuring the vendor's proper delivery of the specified services. The PDPC emphasized that organisations must exercise reasonable oversight over their vendors to ensure that security responsibilities are clearly defined and executed.

What Was the Outcome?

Based on the findings, the PDPC determined that the Organisation had breached its data protection obligations under section 24 of the PDPA. The PDPC ordered the Organisation to take various remedial actions to strengthen its data protection practices, including:

• Hardening its perimeter firewall and implementing multi-factor authentication for remote access VPNs
• Conducting periodic vulnerability assessments and penetration testing
• Tightening its identity and access management, such as enforcing an enhanced password policy and implementing multi-factor authentication for privileged accounts
• Installing endpoint detection and response solutions and implementing managed detection and response or managed security services
• Ensuring that all active systems are updated with the latest patches and replacing outdated applications and operating systems
• Implementing measures to prevent lateral movement and unauthorized changes within the network
• Conducting employee training on cybersecurity best practices, such as phishing awareness
• Obtaining the Cyber Essentials certification

The PDPC's orders aimed to ensure that the Organisation takes appropriate steps to address the security vulnerabilities that led to the data breach and implement robust data protection measures to prevent similar incidents in the future.

Why Does This Case Matter?

This case is significant for several reasons:

1. It underscores the importance of organisations fulfilling their data protection obligations under the PDPA by implementing reasonable security arrangements to safeguard the personal data in their possession. The PDPC's findings highlight the specific security measures that organisations should have in place, such as regular software patching, network segmentation, access controls, and multi-factor authentication.

2. The case emphasizes the need for organisations to conduct regular security reviews and assessments, even when they have outsourced IT maintenance to third-party vendors. Organisations remain responsible for the security of the personal data in their possession and must exercise proper oversight over their vendors to ensure that security responsibilities are adequately met.

3. The remedial actions ordered by the PDPC provide a useful reference for organisations on the types of measures they should consider implementing to strengthen their data protection practices and prevent similar data breaches in the future.

4. This decision serves as an important precedent for the PDPC's interpretation and application of the data protection obligations under the PDPA, particularly in the context of cybersecurity incidents involving the unauthorised access and disclosure of personal data.

Legislation Referenced

• Incident and gave the Threat Act
• Personal Data Protection Act
• Personal Data Protection Act 2012
• Personal Data Protection Act

Cases Cited

• [2024] SGPDPC 2
• [2017] PDP Digest 133 (Re Smiling Orchid (S) Pte Ltd)

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2024] SGPDPC 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.