Another day, another data breach.
This time, around 360 of popular sushi chain Genki Sushi’s current and former employees have been affected.
The Personal Data Protection Commission (PDPC)’s investigations on a ransomware attack that happened last September revealed that the compromised server was an “off-the-shelf software application” that let employees view electronic payslips and for supervisors to confirm attendance of staff.
Data compromised are said to include the names of employees, their NRIC and Foreign Identity Numbers, bank account information, salary details, mobile phone numbers, and name of relatives.
Investigations also showed that Genki Sushi did not have a firewall for the server, but even after installing one, it still “failed to configure the firewall to filter out external threats”.
Wrote PDPC: “In other words, the server’s firewall was ineffective at filtering out any external threats.”
“For a server that held sensitive personal data, the security measures implemented by the organisation were inadequate.”
Genki Sushi also admitted that it did not conduct periodic penetration tests within the last 12 months before the attack, and “could not produce any evidence it had done any patching” during the same time.
For breaching the Personal Data Protection Act (PDPA), Genki Sushi was fined S$16,000, and said that it has since tightened its security by “replacing the affected server, encrypting its software’s database, engaging an external vendor to monitor its network and server logs as well as to assist with updating and patch management for the server”.