SINGAPORE: An offshore vessel firm was fined S$18,000 after a 2023 ransomware attack on its servers allowed hackers to access the personal data of 5,906 people, including employees and their next-of-kin.

Among those affected in the data breach were 1,425 seamen who worked for CH Offshore, whose health information and financial information were compromised, said the Personal Data Protection Commission (PDPC) in a judgment on Thursday (July 4).

CH Offshore is an owner-operator and ship manager of support vessels in the offshore marine oil and gas sector.

The data breach incident was first detected on the morning of March 29, 2023, when employees were unable to access files in the firm’s shared drives.

That prompted CH Offshore to disconnect the affected servers and enlist external vendors to investigate and take action, after which investigations found the files encrypted by ransomware.

Suspicious remote virtual private network (VPN) connections were also detected, suggesting that hackers had gained access to CH Offshore’s network through two VPN connections – one belonging to an employee and the other to an outsourced IT vendor.

It is unclear how the hackers gained access to the two VPN accounts but the judgment said investigations found several lapses that could have contributed to the breach.

These include the lack of multi-factor authentication for all remote access VPNs, as well as employees being given administrator rights on their laptops, which allowed them to install any applications they wanted.

About 2.38TB of data was transferred through the suspicious VPN connections, which included personal data of former employees as well as board directors and stakeholders.

After the incident, CH Offshore informed those affected and engaged a cyber-security expert, as well as a third-party company to conduct reviews.

CH Offshore also performed a scan of its entire network for any remaining malware.

It also agreed to perform several remedial actions, including conducting periodic testing, and phishing simulation exercises to train employees.

In its findings, the PDPC said CH Offshore had “failed to have reasonable security arrangements in place to protect the personal data in its possession or under its control”.

Examples it cited included the lack of multi-factor authentication for VPN log-ins, and its firewall firmware, which had not been updated since December 2021.

A firewall is a protective measure that safeguards an individual’s or organisation’s computer network.

CH Offshore also failed to perform “reasonable periodic security reviews” and did not have processes in place that were “sufficiently robust” to protect personal data, the judgment added.

At first, the firm was ordered to pay $27,000, after several mitigating factors were taken into account, the judgment said.

However, CH Offshore sought a lower fine.

Not all the arguments put forth by the firm were accepted but some were seen as valid, which led to a lower fine of $18,000. - The Straits Times/ANN