Singapore – CH Offshore, an offshore vessel operator and ship manager, has been fined $18,000 following a ransomware attack in 2023 that compromised the personal data of 5,906 individuals, including employees and their next-of-kin.
The breach, detected on March 29, 2023, revealed that the health and financial information of 1,425 seamen employed by CH Offshore was accessed by hackers. The attack was first noticed when employees found themselves unable to access shared drives. Prompt action was taken to disconnect affected servers and initiate an investigation, which uncovered that files had been encrypted by ransomware.
The investigation revealed that hackers had exploited two remote virtual private network (VPN) connections—one belonging to an employee and the other to an outsourced IT vendor. Details on how these VPN accounts were accessed remain unclear, but the investigation highlighted several security lapses, including the absence of multi-factor authentication for VPN access and unrestricted administrator rights on employee laptops.
Approximately 2.38TB of data, including personal information of former employees, board directors, and stakeholders, was transferred through the compromised VPN connections. In response, CH Offshore notified affected individuals, hired cybersecurity experts, and conducted a network scan to remove any remaining malware.
The Personal Data Protection Commission (PDPC) found that CH Offshore failed to implement adequate security measures, such as up-to-date firewall firmware and regular security reviews. Initially, the firm was ordered to pay a $27,000 fine. However, after CH Offshore presented arguments for a reduced penalty, the fine was lowered to $18,000.
