IT vendor fined over data stolen from 190,000, sold on Dark Web
Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website.
At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.
Enzynetic's affected clients - previously identified as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters - would input personal data of their prospective loan applicants and borrowers into the money lending system.
This would allow them to verify the applicants' and borrowers' loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments.
In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic's system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals.
The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024.
PDPC, which was informed of the incident on June 26, 2024, said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account, which is often targeted by malicious users.
The account password at the time of the incident, which was p@ssword1 or Password@1, was susceptible to brute force attacks, wherein hackers repeatedly try to gain access to systems by trying different passwords.
Ezynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure, said the commission.
Following the incident, Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers, and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of Law.
PDPC's decision
Under the Personal Data Protection Act (PDPA), which Ezynetic was found to have breached, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks.
Its failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA; according to PDPC's checklists to guard against common types of data breaches, organisations should, as a basic practice, periodically conduct web application vulnerability scanning and assessments.
PDPC said that a fine was appropriate, as Ezynetic was a Software-as-a-Service provider, which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threats.
According to Microsoft's cloud computing platform Azure, Software-as-a-Service, or SaaS for short, is a cloud-based model where software applications are hosted by a service provider and accessed over the internet. SaaS providers manage the underlying infrastructure, security, maintenance, and updates.
Ezynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapore's Cyber Trustmark Certification for its new IT network and report to the Commission on its completion. Such marks certify good cyber-security practices, helping companies benchmark and show their preparedness to meet new risks,
On Dec 2, Ezynetic was informed of PDPC's preliminary decision, and the following day, it sought a waiver or reduction to the fine. The firm cited its financial commitment to mitigating the breach, its losses as a result of ongoing disruptions caused by the breach, and that it had cooperated with all regulatory bodies throughout the investigation.
However, PDPC rejected this, as Ezynetic's financial commitment was a "necessary part of its obligation to implement reasonable security arrangement" under its protection obligation, and that Ezynetic's cooperativeness was already taken into account while determining the fine amount.
"Whilst (Ezynetic) did provide some invoices showing that it had incurred expenses to implement remedial measures, these did not show that (Ezynetic) is in such a dire financial situation that the imposition of a financial penalty of $17,500 would adversely impact its ability to continue its business," said PDPC.
As a result, the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision. If it does not do so, interest will be accrued until the fine is paid in full.
The firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPC's decision, and has to report to the commission within 14 days of doing so.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Straits Times
8 hours ago
- Straits Times
1,300 names, addresses of traffic offenders published online; police investigating
Find out what's new on ST website and app. Only names and addresses, believed to be from Traffic Police records, were found published online, said the police, with no indication other data has been circulated. SINGAPORE – The police are investigating after the names and addresses of around 1,300 traffic rule offenders were published online after a police printing vendor Toppan Next Tech (TNT) was compromised in a ransomware attack. The personal information of the traffic violators were found to have been published online on July 18, said the police and Cyber Security Agency of Singapore (CSA) on July 24, although the leak is believed to have been from an attack months earlier. TNT had received data from the Traffic Police, including the names, addresses, NRIC numbers and traffic violation details of motorists for the purpose of printing and mailing information to the offenders. Only names and addresses, believed to be from Traffic Police records, were found published online, said the police, with no indication that the other data has been circulated. The data was believed to have been compromised during an earlier attack on the systems of TNT. The Traffic Police's systems were not breached, the police added. The printer was the target of a ransomware attack on April 1 that had affected two of its banking clients – DBS Bank and the Bank of China's Singapore branch – and compromised the data of more than 11,000 of the banks' customers. TNT reported the attack to the Personal Data Protection Commission on the evening of April 6. Both the CSA and the police are helping TNT to strengthen its cyber security measures. TNT was also a printing vendor for the Elections Department, and was engaged to print poll cards and ballot papers for the recent 2025 General Election. The police said they will notify the affected people individually, and urged those affected to monitor their personal accounts for suspicious activities.
AsiaOne
17 hours ago
- AsiaOne
Judge asks prosecution for more information on Kpods in first case involving etomidate-laced vapes, Singapore News
SINGAPORE – In the first prosecution involving etomidate-laced vapes, known as Kpods, the court has directed the Health Sciences Authority (HSA) to provide more information for sentencing, including a profile of end users. Mohammed Akil Abdul Rahim, 41, who is alleged to have made the Kpods at home with the intent to sell them, had been expected to plead guilty on July 23. The Singaporean, who is facing a total of eight charges, including two for selling and possession to sell etomidate under the Poisons Act in Yishun, is now scheduled to do so on Aug 11 after the case was adjourned for the prosecution to flesh out its sentencing submissions. In court on July 23, Deputy Principal District Judge Ong Chin Rhu noted that the prosecution had furnished a skeletal sentencing submission. She added that, given the novelty of the case and the fact that there are no precedents for the possession for sale of etomidate under the Poisons Act, time should be given for the prosecution to furnish a full version. This would include case law for a case of this nature, Judge Ong said. Apart from the profile of end users, she also asked for statistics on the rise of vapes containing etomidate in Singapore, which she said would better inform the court about their prevalence. She also asked for information about the effects of inhaling etomidate, noting that the prosecution had provided information on the consequences of its intravenous use. Etomidate is an anaesthetic agent used in clinical practice to induce sedation and is controlled under the Poisons Act. In a recent seizure of over 100 vapes, a third was found to contain etomidate. One of Akil's charges involved the possession for sale of 26.4g of white powder, which was analysed and found to contain etomidate. Judge Ong asked the prosecution about the significance of this amount of the substance. 'Is that a lot in the grand scheme of things,' she asked, in wanting to know how many vapes could be manufactured with this amount. The HSA prosecutor said the agency is proceeding on three of the seven charges under its purview and seeking between 12 and 15 months' jail for Akil. HSA is asking for eight to 10 months' jail for the charge involving the 26.4g white powder and four to five months' jail for a charge involving the possession for the purpose of sale of 2,588 components of items designed to resemble tobacco products. These included 569 pieces of empty pod casings, 534 pieces of pod components and 1,485 pieces of pod covers. The recommended sentences are to run consecutively, with two to three months' jail proposed for a third charge of selling 100 vape pods containing etomidate to run concurrently. [[nid:720141]] Akil's eighth charge is under the Passports Act for making a false statement to the Immigration and Checkpoints Authority (ICA) while applying for a new Singapore passport. He allegedly lied on Jan 20 that he forgot his bag, which contained his NRIC and passport, at a coffee shop and that his passport was not returned to him. An ICA prosecutor said it would be seeking six to eight weeks' jail for the offence, which will run consecutively with HSA's proposed sentences. Akil maintained his wish to plead guilty, noting he did not want to waste anyone's time and wanted the matter to end so he could move on with his life. Questioning the prosecution's labelling of him as a flight risk, he said he had no intention of absconding and has two children and an ageing mother. He has been offered $20,000 bail, of which $5,000 needs to be in cash. Lowering the cash component would allow him to be released from remand so he can help his son prepare for his Primary School Leaving Examination, he said. The prosecution said it would not be seeking a variance in his bail amount. Health Minister Ong Ye Kung said on July 20 that the authorities are working to list etomidate under the Misuse of Drugs Act, paving the way for abusers and traffickers of Kpods to be treated in the same way as those who abuse or traffic drugs like nimetazepam, also known as Erimin-5, with mandatory rehabilitation and jail time for repeat offenders. Those who need help to quit vaping can join the Health Promotion Board's I Quit programme by calling the QuitLine on 1800-438-2000. Participants need not worry about being prosecuted, as it does not presume they are using or have used vaping products. But those caught using or possessing such items will be prosecuted. From July 21, HSA has extended the operating hours for its hotline to report vaping-related offences. The hotline now operates from 9am to 9pm daily, including on public holidays. HSA has also launched a new online portal to report vaping-related offences at [[nid:720480]] This article was first published in The Straits Times . Permission required for reproduction.
Straits Times
16-07-2025
- Straits Times
Coffee Meets Bagel's Singpass check: Why I'll swipe right on that
Find out what's new on ST website and app. On June 9, Coffee Meets Bagel started using Singpass authentication to verify its local users. I knew I would probably have to kiss many frogs before I found my prince, but I did not expect to have to scrutinise if the frogs were real in the first place. Roland looked and sounded like a dream – 39 years old, a corporate lawyer with a start-up on the side, pictures of him in a fancy car and at a yacht party enjoying cocktails, and a bio so polished it could have been written by a branding consultant. But the scripted perfection felt off. In our text conversations, his responses were stilted and unnatural. His favourite food was chicken rice, and his favourite place to catch a sunset was at Marina Bay Sands. His poison of choice at a bar? The Singapore Sling. In the four days I chatted with him, every day on the dot at noon, he would ask if I had eaten. Every night at 10.30pm, I would get a good night message wishing me sweet dreams. Days later, his profile was quietly deleted. Had I been romanced by an artificial intelligence-generated Romeo? I would never know – but I had a strong suspicion that I was. Profiles like Roland's are becoming more common – and more deceptive. With the rise of generative AI, it is no longer far-fetched to wonder if I am flirting with a bot. Top stories Swipe. Select. Stay informed. Singapore Over 600 Telegram groups in Singapore selling, advertising vapes removed by HSA Singapore 2 weeks' jail for man caught smuggling over 1,800 vapes and pods into Singapore Singapore Jail for man who fatally hit his daughter, 2, while driving van without licence Sport 'Like being in a washing machine with 40 deg C water': Open water swimmers brave challenging conditions Singapore Primary 1 registration: 38 primary schools to conduct ballot in Phase 2A Singapore ComfortDelGro to introduce new taxi cancellation, waiting fee policy Business Cathay Cineplexes gets fresh demands to pay up $3.3m debt for Century Square, Causeway Point outlets Singapore Countering misinformation requires both laws and access to trusted news sources: Josephine Teo One dating app has moved to stamp out fake dating profiles. On June 9, Coffee Meets Bagel (CMB) started using Singpass authentication to verify its local users. The one-time verification process involves the CMB app retrieving users' NRIC number or Foreign Identification Number, date of birth, marital status and gender from government records. With Singpass verification, users like me gain rare certainty in a world of fakes: that the person I'm chatting with is who they say they are – not married, not lying about their age, and not some bot. That can only rebuild trust in an increasingly complex digital world, where tricksters with nefarious purposes have more advanced tools to obfuscate their identities. A Bloomberg story in 2024 found that fraudsters are using AI tools such as ChatGPT and Google Gemini to create fake dating profiles. In recent times, it is also becoming increasingly common to see profiles with pictures that are either a little too perfectly edited or look AI-generated. I hesitate to swipe on such profiles – I am not sure if someone is leveraging AI to bolster their attractiveness; or if a scammer or bot is behind such accounts. Even without AI, fake and misleading accounts have been a problem on dating apps. When I first downloaded dating apps three years ago after I was fresh out of a decade-long relationship, I was ready for awkward first dates, rejection and even ghosting. Instead, I found married men with blurred profile pictures looking for a one-night stand, scammers impersonating popular local influencers, and supposed rich Chinese businessmen a little too eager to promote their investments. My friend was shattered when she eventually discovered that a man she had been seeing from a dating app for three months was in fact six years older than he claimed, and was married. A YouGov survey published in February 2024 found that three-quarters of Singaporeans have never used a dating app before. When asked why, 27 per cent said that they were concerned about fake or misleading dating app profiles. Apart from CMB, other major dating apps commonly used in Singapore have some way to go towards addressing this concern. OkCupid, Hinge and Tinder will match a user's recorded video selfies along with their profile pictures. But this only proves a person's identity, and does not verify age or marital status. As at June 10, Bumble has allowed for identity verification with Government-issued IDs in Singapore, but the move is optional. In contrast, CMB users who choose not to verify their identities with Singpass authentication risk losing out on connections because verified users have the option to filter out unverified profiles. This elevates CMB above its competitors, further bolstering its reputation as a dating app for those looking for a serious relationship. The benefits of CMB's move go beyond restoring trust and confidence in dating apps. More crucially, it helps to promote safety. CMB's head of trust and safety Rachel Tee previously told ST that with government-backed verification, the platform will be able to significantly reduce the number of scam profiles that require manual moderation. This means that CMB will have more bandwidth to deal with more serious cases such as harassment, inappropriate messages or even offline misconduct. I have heard many anecdotal accounts from friends who have received unsolicited nude images from people they met on dating apps. Another had to deal with constant calls and messages from a man who could not handle rejection. There are also more serious cases that have gone before the courts. In August 2024, 25 year-old Terrell See was jailed for threatening to distribute intimate videos of a woman he had received while they were chatting on a dating app. In November 2022, 25-year-old Sim Bing Rui was handed a jail term after he threatened to distribute explicit content of a teenager , after he created a fictitious persona on OkCupid and used it to trick her into engaging in a sex act with him. In cases of offline misconduct, victims may not have crucial information about their perpetrator, like their full name or NRIC, especially if they are meeting for a first date. With such information, CMB will be able to assist the police in their investigations. While some users may find the move excessive and have legitimate privacy concerns, they should keep in mind that the application is asking for four fields of basic information. CMB does not have access to all information about a person in government records, including address, educational qualification, or income level. This is a good balance struck between ensuring user safety and maintaining privacy. Of course, the platform must also do its part to ensure data privacy and cyber security to guard against data leaks. CMB's Ms Tee said the company employs robust cyber security measures and partners with cloud computing service Amazon Web Services to ensure that all information is stored within a secure, encrypted infrastructure. In an era when deception is easier than ever, holding users accountable is not just helpful – it is essential. For that alone, Singpass verification is a green flag. 10/10, I'd swipe right.
