Search This Blog

Powered by Blogger.

Blog Archive

Labels

Cyberattack That Stole Personal Data of 16,000 Law Society Members, What Was Lacking?

PDPC investigations into a 2021 ransomware attack found poor password practices for the Law Society's administrator account.

 


Law Society Members' personal information was leaked through the Law Society of Singapore's VPN. Ransomware headlines are making the rounds, however, the reality is even grimmer. There is a high probability that victims of domestic violence will never see their names in the media, since most of them are willing to pay to resolve the problem. It is becoming increasingly dangerous as threats multiply, sophistication increases, and hackers demand more ransoms. 

As a result of a vulnerability in the Law Society's virtual private network (VPN) system, in March ransomware was launched against more than 16,000 members who were affected by the attack, according to the Personal Data Protection Commission (PDPC). 

According to the PDPC's decision, which was published on Thursday (May 11), the society used an easily guessed password for its administrator account, making it an easy target for cybercriminals.  

In addition to using an easy-to-guess password, the Singaporean Personal Data Protection Commission (PDPC) investigation concluded that the Society failed to conduct periodic security reviews. An internal audit must be completed within 60 days after the event to ensure no security gaps have been discovered by the organization. 

The ransomware attack that compromised 16,009 Law Society members has prompted a court order for the society to plug security gaps. There has been a fine of $8,000 levied against the FortyTwo furniture store for a data breach involving customer information.

In a report published this Thursday, the Personal Data Protection Commission (PDPC) mentioned these topics as some of the findings of the investigation. 

LawSoc's administrative account, which was compromised as a result of the attack, had "Welcome2020lawsoc" as the password, which had been used over the years. 

According to PDPC, the society's password for the account had not been changed at "reasonable intervals".

The PDPC's Deputy Commissioner Zee Kin Yeong concluded that many members' personal information was leaked, including their full names, residential addresses, and dates of birth. According to Channel News Asia, the (Law Society) took prompt remedial action in response to the incident since there were no signs that any personal data of its members was exfiltrated or misused. 

In its latest warning, the Cyber Security Agency of Singapore (CSA) warned that ransomware has evolved into a “massive and systemic threat” in the first half of this year. During 2020, 16,117 cybersecurity cases were reported in Singapore and accounted for 43% of all crimes committed in the country. According to the available data, as many cases of ransomware attacks are not reported to the authorities, the number of ransomware attacks in the country is likely to be much higher. 

Singapore is facing a growing threat of ransomware, a threat that you need to strengthen your defenses against and develop a response plan for, as soon as possible. 

Despite a growing number of ransomware attacks, cybercriminals continue to multiply, attract new talent, innovate new malware, and operate with impunity. You need to ensure that your defenses and incident response plan are both at the very top of their game and are constantly evolving so as to mitigate the risks. Additionally, the right defensive plan for your organisation will be unique: it will take into account your critical needs, your existing and future defenses, your vulnerabilities, as well as your ethos as an organisation.
Share it:

CSA

Cyberattacks

CyberCriminal

Law Society of Singapore

Passwords

PDPC

Vulnrabilities and Exploits