IT vendor fined over data stolen from 190,000, sold on Dark Web
Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website.
At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.
Enzynetic's affected clients - previously identified as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters - would input personal data of their prospective loan applicants and borrowers into the money lending system.
This would allow them to verify the applicants' and borrowers' loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments.
In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic's system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals.
The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024.
PDPC, which was informed of the incident on June 26, 2024, said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account, which is often targeted by malicious users.
The account password at the time of the incident, which was p@ssword1 or Password@1, was susceptible to brute force attacks, wherein hackers repeatedly try to gain access to systems by trying different passwords.
Ezynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure, said the commission.
Following the incident, Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers, and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of Law.
PDPC's decision
Under the Personal Data Protection Act (PDPA), which Ezynetic was found to have breached, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks.
Its failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA; according to PDPC's checklists to guard against common types of data breaches, organisations should, as a basic practice, periodically conduct web application vulnerability scanning and assessments.
PDPC said that a fine was appropriate, as Ezynetic was a Software-as-a-Service provider, which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threats.
According to Microsoft's cloud computing platform Azure, Software-as-a-Service, or SaaS for short, is a cloud-based model where software applications are hosted by a service provider and accessed over the internet. SaaS providers manage the underlying infrastructure, security, maintenance, and updates.
Ezynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapore's Cyber Trustmark Certification for its new IT network and report to the Commission on its completion. Such marks certify good cyber-security practices, helping companies benchmark and show their preparedness to meet new risks,
On Dec 2, Ezynetic was informed of PDPC's preliminary decision, and the following day, it sought a waiver or reduction to the fine. The firm cited its financial commitment to mitigating the breach, its losses as a result of ongoing disruptions caused by the breach, and that it had cooperated with all regulatory bodies throughout the investigation.
However, PDPC rejected this, as Ezynetic's financial commitment was a "necessary part of its obligation to implement reasonable security arrangement" under its protection obligation, and that Ezynetic's cooperativeness was already taken into account while determining the fine amount.
"Whilst (Ezynetic) did provide some invoices showing that it had incurred expenses to implement remedial measures, these did not show that (Ezynetic) is in such a dire financial situation that the imposition of a financial penalty of $17,500 would adversely impact its ability to continue its business," said PDPC.
As a result, the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision. If it does not do so, interest will be accrued until the fine is paid in full.
The firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPC's decision, and has to report to the commission within 14 days of doing so.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
AsiaOne
3 days ago
- AsiaOne
1,300 names, addresses of traffic offenders published online; police investigating, Singapore News
SINGAPORE – The police are investigating after the names and addresses of around 1,300 traffic rule offenders were published online, after police printing vendor Toppan Next Tech's (TNT) systems were compromised in a ransomware attack. The personal information of the traffic violators were found to have been published online on July 18, said the police and Cyber Security Agency of Singapore (CSA) on July 24, although the leak is believed to have been from an attack months earlier. TNT had received data from the Traffic Police, including the names, addresses, NRIC numbers and traffic violation details of motorists for the purpose of printing and mailing information to the offenders. Only names and addresses, believed to be from Traffic Police records, were found published online, said the police, with no indication the other data has been circulated. The data was believed to have been compromised during an earlier attack on the systems of TNT. The Traffic Police's systems were not breached, the police added. The printer was the target of a ransomware attack on April 1 that had affected two of its banking clients – DBS Bank and the Bank of China's Singapore branch – and compromised the data of over 11,000 of the banks' customers. TNT reported the attack to the Personal Data Protection Commission on the evening of April 6. Both the CSA and the police are helping TNT to strengthen its cyber-security measures. TNT was also a printing vendor for the Elections Department, and was engaged to print poll cards and ballot papers for the recent 2025 General Election. The police said they will notify the affected people individually, and urged those affected to monitor their personal accounts for suspicious activities. Those who notice unusual activity can report their observations to the police hotline on 1800-255-0000 or [[nid:716497]] This article was first published in The Straits Times . Permission required for reproduction.
Straits Times
4 days ago
- Straits Times
1,300 names, addresses of traffic offenders published online; police investigating
Find out what's new on ST website and app. Only names and addresses, believed to be from Traffic Police records, were found published online, said the police, with no indication other data has been circulated. SINGAPORE – The police are investigating after the names and addresses of around 1,300 traffic rule offenders were published online after a police printing vendor Toppan Next Tech (TNT) was compromised in a ransomware attack. The personal information of the traffic violators were found to have been published online on July 18, said the police and Cyber Security Agency of Singapore (CSA) on July 24, although the leak is believed to have been from an attack months earlier. TNT had received data from the Traffic Police, including the names, addresses, NRIC numbers and traffic violation details of motorists for the purpose of printing and mailing information to the offenders. Only names and addresses, believed to be from Traffic Police records, were found published online, said the police, with no indication that the other data has been circulated. The data was believed to have been compromised during an earlier attack on the systems of TNT. The Traffic Police's systems were not breached, the police added. The printer was the target of a ransomware attack on April 1 that had affected two of its banking clients – DBS Bank and the Bank of China's Singapore branch – and compromised the data of more than 11,000 of the banks' customers. TNT reported the attack to the Personal Data Protection Commission on the evening of April 6. Both the CSA and the police are helping TNT to strengthen its cyber security measures. TNT was also a printing vendor for the Elections Department, and was engaged to print poll cards and ballot papers for the recent 2025 General Election. The police said they will notify the affected people individually, and urged those affected to monitor their personal accounts for suspicious activities.
AsiaOne
4 days ago
- AsiaOne
Judge asks prosecution for more information on Kpods in first case involving etomidate-laced vapes, Singapore News
SINGAPORE – In the first prosecution involving etomidate-laced vapes, known as Kpods, the court has directed the Health Sciences Authority (HSA) to provide more information for sentencing, including a profile of end users. Mohammed Akil Abdul Rahim, 41, who is alleged to have made the Kpods at home with the intent to sell them, had been expected to plead guilty on July 23. The Singaporean, who is facing a total of eight charges, including two for selling and possession to sell etomidate under the Poisons Act in Yishun, is now scheduled to do so on Aug 11 after the case was adjourned for the prosecution to flesh out its sentencing submissions. In court on July 23, Deputy Principal District Judge Ong Chin Rhu noted that the prosecution had furnished a skeletal sentencing submission. She added that, given the novelty of the case and the fact that there are no precedents for the possession for sale of etomidate under the Poisons Act, time should be given for the prosecution to furnish a full version. This would include case law for a case of this nature, Judge Ong said. Apart from the profile of end users, she also asked for statistics on the rise of vapes containing etomidate in Singapore, which she said would better inform the court about their prevalence. She also asked for information about the effects of inhaling etomidate, noting that the prosecution had provided information on the consequences of its intravenous use. Etomidate is an anaesthetic agent used in clinical practice to induce sedation and is controlled under the Poisons Act. In a recent seizure of over 100 vapes, a third was found to contain etomidate. One of Akil's charges involved the possession for sale of 26.4g of white powder, which was analysed and found to contain etomidate. Judge Ong asked the prosecution about the significance of this amount of the substance. 'Is that a lot in the grand scheme of things,' she asked, in wanting to know how many vapes could be manufactured with this amount. The HSA prosecutor said the agency is proceeding on three of the seven charges under its purview and seeking between 12 and 15 months' jail for Akil. HSA is asking for eight to 10 months' jail for the charge involving the 26.4g white powder and four to five months' jail for a charge involving the possession for the purpose of sale of 2,588 components of items designed to resemble tobacco products. These included 569 pieces of empty pod casings, 534 pieces of pod components and 1,485 pieces of pod covers. The recommended sentences are to run consecutively, with two to three months' jail proposed for a third charge of selling 100 vape pods containing etomidate to run concurrently. [[nid:720141]] Akil's eighth charge is under the Passports Act for making a false statement to the Immigration and Checkpoints Authority (ICA) while applying for a new Singapore passport. He allegedly lied on Jan 20 that he forgot his bag, which contained his NRIC and passport, at a coffee shop and that his passport was not returned to him. An ICA prosecutor said it would be seeking six to eight weeks' jail for the offence, which will run consecutively with HSA's proposed sentences. Akil maintained his wish to plead guilty, noting he did not want to waste anyone's time and wanted the matter to end so he could move on with his life. Questioning the prosecution's labelling of him as a flight risk, he said he had no intention of absconding and has two children and an ageing mother. He has been offered $20,000 bail, of which $5,000 needs to be in cash. Lowering the cash component would allow him to be released from remand so he can help his son prepare for his Primary School Leaving Examination, he said. The prosecution said it would not be seeking a variance in his bail amount. Health Minister Ong Ye Kung said on July 20 that the authorities are working to list etomidate under the Misuse of Drugs Act, paving the way for abusers and traffickers of Kpods to be treated in the same way as those who abuse or traffic drugs like nimetazepam, also known as Erimin-5, with mandatory rehabilitation and jail time for repeat offenders. Those who need help to quit vaping can join the Health Promotion Board's I Quit programme by calling the QuitLine on 1800-438-2000. Participants need not worry about being prosecuted, as it does not presume they are using or have used vaping products. But those caught using or possessing such items will be prosecuted. From July 21, HSA has extended the operating hours for its hotline to report vaping-related offences. The hotline now operates from 9am to 9pm daily, including on public holidays. HSA has also launched a new online portal to report vaping-related offences at [[nid:720480]] This article was first published in The Straits Times . Permission required for reproduction.
