The Rise and Rise of Ransomware | Dentons

introduction

Due to the COVID-19 pandemic, more and more companies have relocated their operations online and let their employees work from home. From a cybersecurity perspective, this expands the potential surface area of ​​attack by nefarious hackers by increasing the number of devices used to facilitate business operations. The larger attack surface, coupled with more sophisticated methods used by hackers, increases the risk of businesses falling victim to ransomware – a type of malware used by hackers to encrypt and block access to the victim’s data until requested Ransom is paid.

In some cases of ransomware attacks, there may be no exfiltration or removal of data from the company. But even if no data is exfiltrated, companies can breach their duty to protect under Singapore’s Personal Data Protection Act (PDPA). This is an important learning point in the recent Personal Data Protection Commission decision of the HMI Institute of Health Sciences Pte. GmbH. [2021] SGPDPC 4.

Brief facts

The HMI Institute had collected personal data from its employees and the participants in its training courses. The personal data was stored on a file server that was protected by a firewall that blocked all connections to the server except those through a standard port used for the Remote Desktop Protocol (RDP port). The HMI Institute kept the RDP port open to allow fast remote access to the server for recovery and maintenance work.

On December 4, 2019, the server suffered a ransomware attack that encrypted the personal data of around 110,080 participants and 253 employees. The personal data affected included names, NRIC numbers, and financial information.

An expert opinion revealed that the attacker had probably discovered the open RDP port. The attacker then used brute force attacks to obtain the password of the administrator account for the server and thus gain access to it.

decision

It was found that the HMI Institute has violated its obligation to protect personal data by failing to take adequate security precautions to protect the personal data on the server from the risk of unauthorized access, alteration and removal for the following reasons protect:

1. The HMI Institute has not adequately regulated remote access to the server. There was a lack of sufficiently robust processes to ensure secure remote access to the server via the RDP port, which it kept open permanently for over four years.
2. HMI Institute was unable to enforce correct password management policies. While the HMI Institute had passed a password guideline with guidelines that corresponded to the standards recommended by the PDPC, the guideline was not adhered to in practice.
3. HMI Institute allowed multiple users to share credentials for the administrator account, although that was the only access control.

Although no exfiltration of personal data took place and all affected personal data were retrieved, the HMI Institute had therefore violated its obligation under § 24 PDPA. After considering all relevant factors in the case, the PDPC imposed a fine of $ 35,000 on the HMI Institute.

Case comment

• The lack of data exfiltration does not necessarily mean that an organization cannot violate the PDPA.

The PDPC would review and take into account the security precautions that an organization has taken on a holistic basis. This includes assessing access management to servers (whether business-critical or otherwise), password management policies, or the scope of other security measures a company can take to protect data (e.g. anti-hammering functions).

• Regular review of the IT security status required

Given the evolving cybersecurity landscape, it is also important for companies to regularly review their IT security position. For example, all ports to servers that contain large amounts of personal data and / or highly sensitive personal data should remain closed. When ports need to be kept open, organizations should take steps to ensure the security of incoming RDP connections.

• Organizations need to determine whether the data breach is a reportable breach, even if no data appears to have been extracted

Organizations should also note that they are subject to the mandatory data breach notification system under the amended PDPA. After a ransomware attack, a company must check whether the ransomware attack falls under a reportable data breach, even if it believes that no personal data has been filtered out. Organizations may still be in breach of the duty to protect because they fail to take adequate security precautions to reduce the risk of ransomware. When in doubt, organizations are advised to contact a professional.

Practical tips for the new normal

As home office continues to be the default, organizations need to be aware of the increasing risks associated with ransomware. With the new normal of home office arrangements, companies would have to deal with a broader attack surface in which employees do their business from their home networks. For most organizations, this increases the tension between ease of use, cost, and cybersecurity when adopting ICT security measures.

To avoid the risk of ransomware in the new normal and to ensure that a company meets its regulatory obligations under the PDPA, we have put together some practical tips below:

1. Technical measures: As the attack surface expands, it is important for companies to take strong technical measures to mitigate the risk of ransomware. For example, organizations should regularly check RDP connections, log checks for unusual activity, require strong authentication methods, and implement deep defensive measures.
2. Organizational measures: Organizations should also ensure that they have a drawer plan or incident response plan in place in the event that ransomware does occur. The amended PDPA requires organizations to notify the PDPC within three calendar days of the discovery that a data breach is a reportable data breach. Since time is short, it will be good for an organization to prepare such documentation during “peace time”.
3. People measures: The decisions of the PDPC regularly show that people are the weakest link in data protection issues. Therefore, it is very important that employees are trained in cyber hygiene. For example, employees should keep their work and personal email accounts and devices separate whenever possible. In addition, regular training should be carried out to help employees identify phishing or nefarious e-mails. Employees should also check emails from supposed senders, especially if they contain unusual instructions.

Dentons Rodyk thanks and thanks intern Lee Lyi Shyuenn for her contributions to this article.

source https://collegeeducationnewsllc.com/the-rise-and-rise-of-ransomware-dentons/