A new court decision sets precedence for all Singapore organizations where ransomware attacks – even without data exfiltration – may be subject to financial noncompliance penalties.

The interesting thing about court decisions is how they provide some valuable context for the rest of us to learn from – if we choose to pay attention. And while this article is about a Singapore company subject to Singapore law, it does shed some light on how courts may treat cases when going up against either applicable law or even cyberinsurers.

HMI Institute was breached and was the victim of a ransomware attack in December of 2019. It was identified that a standard RDP port was left exposed to the Internet, and was used as the initial attack vector via a brute force logon attack. While no data was exfiltrated, systems were encrypted and operations were halted.

Singapore’s Personal Data Protection Act (PDPA) specifically requires organizations to “make reasonable security arrangements to protect the personal data in the server from the risk of unauthorized access, modification and disposal.”

In the case of HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4, the courts found that HMI Institute did not demonstrate having the necessary “reasonable security arrangements” due to the fact they were breached.

What this means for Singapore organizations is that “Absence of data exfiltration does not necessarily mean that an organisation cannot be found in breach of the PDPA,” according to the case docket.

Ransomware generally infiltrates an organization via RDP, vulnerabilities or phishing attacks. RDP is easy – shut it off. Vulnerabilities are a bit tougher – patch, scan, and find compensating controls. Phishing can be simple to address with Security Awareness Training that teaches users how to see malicious emails for what they are and avoid interacting with them, thereby stopping an attack in its’ tracks.