PDPC decision on TAFEP’s
Customer Relationship Management system

On 14 Feb 2020, a server hosting the Tripartite Alliance for Fair and Progressive Employment Practices’ (TAFEP) Customer Relationship Management (CRM) system was infected with ransomware.

Upon discovering the incident, TAFEP took immediate measures to prevent the rest of the system from being infected and reset the passwords of all user accounts in the CRM system. TAFEP also filed a police report, and informed the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT) about the incident. The PDPC has released a report about this incident on its website.

We have been investigating and monitoring the incident over the past year. We would like to reassure our customers that, based on the conclusions of our investigation, there is no evidence data has been stolen from TAFEP’s CRM system. The PDPC has noted this in its decision.

We have since decommissioned the CRM system and undertaken an organisation-wide review to strengthen our management of all third-party IT service providers, such as requesting these service providers to conduct cybersecurity audits, vulnerability assessment and penetration testing for the organisation’s existing IT systems.

We would like to assure companies and individuals that we are committed to ensure the safety and security of our customers’ personal data. Companies or individuals are advised to contact TAFEP (www.tal.sg/tafep/Contact-Us/PD-Form) if they suspect any misuse of their information arising from this incident or if they have any queries on this incident.

 

FAQS ON TAFEP’S RANSOMWARE INCIDENT

1. About the ransomware incident

  1. On 14 Feb 2020, a server hosting the Tripartite Alliance for Fair and Progressive Employment Practices’ (TAFEP) Customer Relationship Management (CRM) system was infected with ransomware.
  2. Ransomware is a type of malicious software that disables access to a system and demands ransom payment to regain access to the system.
  3. To date, TAFEP has not received any demands for payment from the perpetrators of this incident.

2. Is anyone affected by this incident?

  1. Our investigation of the incident has concluded that there is no evidence of data being stolen from TAFEP’s CRM system.
  2. The records in TAFEP’s CRM system comprises personal data from individuals and business contact information (such as an individual’s name, business telephone number, or business electronic mail address) from company representatives who had provided such information to TAFEP on or before 14 Feb 2020.
  3. Companies or individuals are advised to contact TAFEP (www.tal.sg/tafep/Contact-Us/PD-Form) if they have any concerns regarding their personal/business information or any queries on this incident.

3. What actions have TAFEP taken to mitigate the impact of this incident?

  1. After the incident, TAFEP took immediate measures to prevent the rest of the system from being infected and reset the passwords of all user accounts in the CRM system.
  2. TAFEP also filed a police report, and informed the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT) about the incident.
  3. We have since decommissioned the CRM system and undertaken an organisation-wide review to strengthen our management of all third-party IT service providers, such as requesting these service providers to conduct cybersecurity audits, vulnerability assessment and penetration testing for the Organisation’s existing IT systems.

4. What actions, if any, should affected individuals or companies take?

  1. No further action is required from the affected individuals or companies as our investigation of the incident has concluded and has shown that there is no evidence that data was stolen from TAFEP’s CRM system.
  2. Individuals or companies are advised to contact TAFEP (www.tal.sg/tafep/Contact-Us/PD-Form) if they suspect any misuse of their information arising from this incident or if they have any queries on this incident.

5. How does TAFEP collect, use, disclose and retain my personal data?

  1. For more details about TAFEP’s collection, usage, disclosure and retention of personal data, please refer to TAL’s external privacy policy (https://www.tal.sg/tafep/Privacy-Statement).