Tokyo Century Leasing (Singapore) Pte Ltd [2023] SGPDPC 9

Case Details

• Citation: [2023] SGPDPC 9
• Court: Personal Data Protection Commission
• Date: 2023-09-04
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Tokyo Century Leasing (Singapore) Pte. Ltd.
• Legal Areas: Data Protection – Protection Obligation
• Statutes Referenced: Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2017] SGPDPC 14, [2019] SGPDPC 26, [2021] SGPDPC 11, [2022] SGPDPC 3, [2023] SGPDPC 4, [2023] SGPDPC 9
• Judgment Length: 13 pages, 2,765 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Tokyo Century Leasing (Singapore) Pte. Ltd. (the Organisation) for a ransomware attack that resulted in the encryption of personal data belonging to 141,412 individuals. The PDPC found that the Organisation failed to implement reasonable security arrangements to protect the personal data, in breach of the Personal Data Protection Act 2012 (PDPA). The key failures were the Organisation's lack of regular monitoring for software patches, absence of processes to manage software patches and upgrades, and failure to implement multi-factor authentication for administrator accounts.

What Were the Facts of This Case?

The Organisation is a leasing and hire-purchase company that operates a website for customers to submit applications. On 12 June 2022, a customer informed the Organisation that he was unable to submit an online application. The Organisation's internal investigation revealed that 7 servers and 6 employee computers had been infected with ransomware, resulting in the encryption of personal data belonging to 141,412 individuals.

The encrypted data included names, NRIC numbers, dates of birth, addresses, contact numbers, income statements, email addresses, employer information, bank accounts, passport numbers, and employment pass numbers of 111,156 customers, 30,220 guarantors, and 36 employees. The ransomware note instructed the Organisation to contact the attackers to obtain the decryption key, failing which the data would be leaked. The Organisation did not respond to the ransom note.

Investigations by the Organisation and the PDPC found that the likely cause of the incident was that the attackers had exploited a known vulnerability (CVE-2018-13379) in the Organisation's outdated FortiGate VPN and firewall device. The device had been using version 6.0.4 of the FortiOS software, which had the vulnerability, and the patch released by the manufacturer in May 2019 had not been installed by the Organisation. The Organisation also did not have multi-factor authentication implemented for its administrator accounts at the time of the incident.

What Were the Key Legal Issues?

The key legal issue was whether the Organisation had breached the protection obligation under section 24 of the PDPA. Section 24 requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal.

The PDPC had to assess the reasonableness of the Organisation's security arrangements, taking into account the volume and sensitivity of the personal data involved, and the possible impact of a data breach. The PDPC also had to consider the Organisation's specific failures in implementing appropriate security measures.

How Did the Court Analyse the Issues?

The PDPC noted that the Subject Data comprised a large volume of sensitive personal data, including names, NRIC numbers, bank account information, and income statements of 141,412 individuals. Given the nature of this data, there was a heightened risk of identity theft and financial loss, which called for a higher standard of security arrangements.

The PDPC found that the Organisation failed to implement reasonable security arrangements in three key areas:

1. Failure to conduct regular monitoring for software patches: The PDPC highlighted that the Organisation had been using the outdated FortiOS version with the known vulnerability for almost 3 years, even though the patch had been available since May 2019. The Organisation admitted that it was unaware of the patch and did not conduct regular monitoring for software updates.

2. Failure to implement processes to manage software patches and upgrades: The PDPC noted that the Organisation relied on its IT vendor to handle software patching, but did not have any contractual requirements for the vendor to conduct regular monitoring. The Organisation also failed to have its own processes in place to manage software patches and upgrades.

3. Failure to implement multi-factor authentication for administrator accounts: The PDPC found that the lack of multi-factor authentication for the Organisation's administrator accounts was a significant security weakness that allowed the attackers to gain access to the personal data.

Based on these findings, the PDPC concluded that the Organisation had failed to make reasonable security arrangements to protect the personal data, in breach of section 24 of the PDPA.

What Was the Outcome?

The PDPC did not impose any financial penalty on the Organisation, as it had voluntarily provided and admitted to the facts, and taken prompt remedial actions after the incident. These actions included reporting the incident to the authorities, engaging an external call centre to assist affected individuals, patching the vulnerability, changing administrator passwords, and implementing multi-factor authentication.

However, the PDPC emphasized the importance of organisations regularly monitoring for software patches, implementing robust processes to manage software updates, and using multi-factor authentication as basic security measures to protect personal data. The PDPC's decision serves as a reminder to all organisations handling sensitive personal data to review and strengthen their data protection practices.

Why Does This Case Matter?

This case highlights the critical importance of organisations implementing reasonable security arrangements to protect personal data, as required under the PDPA. The PDPC's decision underscores that a failure to regularly monitor for software vulnerabilities, manage software patches and upgrades, and use multi-factor authentication can constitute a breach of the protection obligation.

The case is significant as it provides clear guidance on the PDPC's expectations regarding an organisation's data protection practices. It reinforces the PDPC's previous decisions emphasizing the need for regular ICT monitoring, vulnerability testing, and proactive software patch management. The decision also demonstrates the PDPC's willingness to hold organisations accountable for security lapses that expose large volumes of sensitive personal data to risks of identity theft and financial loss.

This case serves as an important precedent for organisations handling sensitive personal data. It highlights the need for them to review and strengthen their data protection practices, particularly in the areas of software patch management and access controls, to ensure compliance with the PDPA and avoid potential regulatory action.

Legislation Referenced

• Advisory Guidelines on Key Concepts in the Personal Data Protection Act
• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2017] SGPDPC 14
• [2019] SGPDPC 26
• [2021] SGPDPC 11
• [2022] SGPDPC 3
• [2023] SGPDPC 4
• [2023] SGPDPC 9

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPC 9 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.