Case Details
- Citation: [2024] SGPDPCS 2
- Court: Personal Data Protection Commission
- Date: 2024-04-22
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Payroll2U Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2024] SGPDPCS 2
- Judgment Length: 8 pages, 1,298 words
Summary
In this decision, the Personal Data Protection Commission (the "Commission") found that Payroll2U Pte. Ltd. (the "Organisation") breached the protection obligation under the Personal Data Protection Act 2012 ("PDPA") by failing to implement reasonable access controls to safeguard the personal data of its client's employees. The breach arose from a ransomware attack on the Organisation's servers, which resulted in the exfiltration and disclosure of 5,640 employees' personal data, including sensitive information such as bank account numbers and salary details.
The Commission determined that the Organisation's lapses, including providing local administrator rights to employees, failing to implement multi-factor authentication, and lacking effective incident response measures, contributed to the breach. As a result, the Commission imposed a financial penalty of $4,000 on the Organisation to ensure compliance and deter future non-compliance with the PDPA.
What Were the Facts of This Case?
Payroll2U Pte. Ltd. is a payroll service provider that offers payroll outsourcing services and online payroll Software as a Service (SaaS) solutions. On 27 March 2023, the Commission was notified by the Organisation that the personal data of its client's employees had been posted on a ransomware leak site. The leak arose from a ransomware attack on the Organisation's servers around 29 December 2022 (the "Incident").
The Organisation received extortion emails from a threat actor identified as a LockBit affiliate on 16 January 2023. The Organisation immediately conducted an internal investigation and engaged an external forensics investigator to investigate the Incident and undertake remedial actions. The investigation revealed that a total of 81.95 GB of data had been exfiltrated in the Incident and posted on the dark web. The personal data of 5,640 employees from the Organisation's client was affected, including their full name, bank account number, salary information, NRIC number, address, date of birth, and email address.
The investigations further revealed that the unauthorised activity had occurred from 29 December 2022 to 16 January 2023, with a single compromised account used for Remote Desktop Protocol (RDP) access to five servers on the Organisation's AWS environment. Once connected to the working network, the threat actor gained unauthorised access to the developer's drive and the company's shared drive that were both mapped to the compromised account, which gave them access to the affected personal data.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached the protection obligation under the PDPA by failing to implement reasonable access controls to safeguard the personal data of its client's employees.
Specifically, the Commission had to determine whether the Organisation's security measures, including the use of local administrator rights, lack of multi-factor authentication, and absence of effective incident response, were sufficient to meet the PDPA's protection obligation requirements.
How Did the Court Analyse the Issues?
The Commission found that the Organisation had failed to implement reasonable access controls to protect the personal data in its possession. While the investigation acknowledged the existence of proactive cybersecurity controls, the Commission determined that the Organisation had stored the affected personal data, including sensitive information such as bank account numbers and salary details, on unsecured internal shared drives.
The Commission noted that the Organisation should have adopted additional access controls beyond the baseline of password protection, given the volume and sensitivity of the personal data handled. The Commission highlighted that the Organisation had the option of implementing frontend access controls, such as multi-factor authentication, at least for users with remote access to the more sensitive data. The Commission also suggested that the Organisation could have implemented backend access controls, such as restrictive allocation of administrator-level rights and network segmentation, to ensure that sensitive personal data was only accessible on a need-to-know basis.
The Commission referenced its Guide to Data Protection Practices for ICT Systems, which states that access control privileges should be restricted and defined based on the user roles and rights to data. The Commission found that the Organisation failed to assess whether the developer in question needed account access rights to the personal data affected in the Incident.
Additionally, the Commission noted that the Organisation failed to disallow non-administrator employees from installing software and changing security settings, which allowed the compromised user to reformat their laptop, install an unlicensed Windows Operating System, and remove the Symantec Endpoint Protection, ultimately leading to the ransomware attack.
What Was the Outcome?
Based on the findings, the Commission determined that the Organisation had breached the Protection Obligation under the PDPA. The Commission decided that a financial penalty was appropriate given the Organisation's role as a payroll service provider and the sensitive nature of the personal data involved.
In determining the appropriate financial penalty amount, the Commission considered the relevant factors listed in the PDPA, including the impact of the personal data breach on the affected individuals and the nature of the Organisation's non-compliance. The Commission also took into account the Organisation's turnover to arrive at a proportionate and effective penalty to ensure compliance and deter future non-compliance.
Ultimately, the Commission required the Organisation to pay a financial penalty of $4,000 within 30 days, failing which interest would accrue on the outstanding amount until the penalty was paid in full. The Commission noted that it considered the Organisation's cooperation during the investigation, its voluntary admission of the breach under the Expedited Decision Procedure, and the fact that this was the Organisation's first instance of non-compliance with the PDPA as mitigating factors in determining the final penalty amount.
Why Does This Case Matter?
This case is significant as it highlights the importance of implementing reasonable access controls to protect personal data, particularly for organizations that handle sensitive information such as payroll data. The Commission's decision underscores the need for organizations to go beyond basic password protection and implement robust access control measures, including multi-factor authentication and restrictive allocation of administrator-level rights, to safeguard personal data.
The case also serves as a reminder to organizations that they must have effective incident response and management controls in place to detect and respond to unauthorized access and data breaches in a timely manner. The Commission's emphasis on the need for organizations to assess user access rights and restrict non-administrative employees from installing unauthorized software on company devices is a valuable lesson for data protection compliance.
This decision sets an important precedent for the Personal Data Protection Commission's approach to enforcing the protection obligation under the PDPA. It demonstrates the Commission's willingness to impose financial penalties on organizations that fail to implement appropriate security measures, even in the absence of actual harm or damage to the affected individuals. This decision sends a clear message to organizations that they must take their data protection obligations seriously and invest in robust security controls to protect the personal data in their possession.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2024] SGPDPCS 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.