Hackers accessed info of about 20,000 people but no evidence of data theft found

Senior Tech Correspondent

The Tripartite Alliance Limited (TAL) has been fined $29,000 after the data of about 20,000 people was accessed by hackers last year.

TAL oversees the Tripartite Alliance for Fair and Progressive Employment Practices (Tafep) and handles employment disputes.

The Personal Data Protection Commission (PDPC) said in a recent decision that TAL had failed to put in place “reasonable security arrangements” to prevent the unauthorised access of its customer relationship management system database.

Hacked data included names, identification numbers, contact numbers, e-mail addresses, age, race, marital status, salaries and compensation amounts.

Business contact details from company representatives, such as an individual’s name, business telephone number or business e-mail address, were affected too.

These records of about 12,000 individuals and 8,000 companies, including company representatives, were provided to Tafep on Feb 14 last year or earlier.

Cyber-security experts have said that such data could be used by cyber criminals to send victims personalised phishing e-mails, allowing them to steal passwords or drop ransomware that locks up digital files until the crooks get paid.

TAL said in a statement that it has been investigating and monitoring the incident in the past year, and there is no evidence that hackers had stolen the data.

But the PDPC noted that the data was not encrypted, which made it vulnerable to exposure.

The commission fined TAL $29,000 based partly on the large number of affected people – 20,000 – and the nature of the compromised data.

“The database contained details of employment-related complaints and disputes,” said PDPC. “Individuals would expect a high level of confidence when they convey such matters to the organisation.”

But in mitigation, it noted that there was no evidence of data theft, and that TAL was upfront and took “prompt remedial actions”.

TAL was set up in 2016 by the tripartite partners – the Ministry of Manpower, National Trades Union Congress and Singapore National Employers Federation.

The organisation promotes fair and progressive employment practices, as well as provides mediation and advice in employment-related disputes.

PDPC said in an April 15 decision that TAL informed the commission on March 3 last year that a server hosting its customer relationship management system was infected with ransomware. TAL said the Tafep system was infected on Feb 14 last year.

TAL uses the system to handle employment-related inquiries, feedback and complaints.

The system was not available to users on Feb 17, but its vendor managed to restore it using a back-up within three hours.

Investigations later found the system was hit by a ransomware attack. But TAL said it has yet to receive any ransom payment demand from the perpetrators.

Security logs showed that hacking attempts were made on the system’s database server between Feb 7 and Feb 14 last year.

TAL claimed that since June 2019, it had included security monitoring services for the customer relationship management system.

“However, there was inadequate process put in place to ensure that the (system’s) vendor proactively monitored the alerts and took actions to block malicious activities in a timely manner,” said PDPC.

TAL said that after the incident, it took steps to prevent the rest of the system from being infected and reset the passwords of all user accounts in the system.

The organisation began to closely monitor the system vendor’s IT services support weekly.

TAL also did a review to strengthen management of all its third-party IT service providers, such as requesting them to conduct cyber-security audits.

It has also decommissioned the affected customer relationship management system.

Anyone with queries about the incident, or suspects his information has been misused by hackers, can contact Tafep at www.tal.sg/tafep/Contact-Us/PD-Form