Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined

Straits Times

15 hours ago

Sign up now: Get ST's newsletters delivered to your inbox
IT vendor Ezynetic was fined $17,500 for failing to protect its clients' data.
SINGAPORE - IT vendor Ezynetic has been fined $17,500 for failing to protect its clients' data, which resulted in more than 190,000 individuals' personal data being stolen and put for sale on the Dark Web.
Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website.
At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.
Enzynetic's affected clients –
previously identified as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters – would input personal data of their prospective loan applicants and borrowers into the money lending system.
This would allow them to verify the applicants' and borrowers' loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments.
In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic's system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals.
The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024.
Top stories
Swipe. Select. Stay informed.
Singapore Asean needs 'bolder reforms' to attract investments in more fragmented global economy: PM Wong
Singapore CPF members can make housing, retirement and health insurance plans with new digital platform
Singapore CPF's central philosophy of self-reliance remains as pertinent as ever: SM Lee
Asia Dalai Lama hopes to live beyond 130 years, much longer than predicted
Sport Liverpool will move on after Jota's tragic death, but he will never be forgotten
Singapore Tan Cheng Bock, Hazel Poa step down from PSP leadership; party launches 'renewal plan'
Singapore Rock climbing fan suddenly could not jump, get up from squats
Life Japanese food in Singapore under $20: 5 hawker stalls serving restaurant-quality sashimi and donburi
PDPC, which was informed of the incident on June 26, 2024, said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account, which is often targeted by malicious users.
The account password at the time of the incident, which was p@ssword1 or Password@1, was susceptible to brute force attacks, wherein hackers repeatedly try to gain access to systems by trying different passwords.
Ezynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure, said the commission.
Following the incident, Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers, and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of Law.
PDPC's decision
Under the Personal Data Protection Act (PDPA), which Ezynetic was found to have breached, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks.
Its failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA; according to PDPC's checklists to guard against common types of data breaches, organisations should, as a basic practice, periodically conduct web application vulnerability scanning and assessments.
PDPC said that a fine was appropriate, as Ezynetic was a Software-as-a-Service provider, which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threats.
According to Microsoft's cloud computing platform Azure, Software-as-a-Service, or SaaS for short, is a cloud-based model where software applications are hosted by a service provider and accessed over the internet. SaaS providers manage the underlying infrastructure, security, maintenance, and updates.
Ezynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapore's Cyber Trustmark Certification for its new IT network and report to the Commission on its completion. Such marks certify
good cyber-security practices , helping companies benchmark and show their preparedness to meet new risks,
On Dec 2, Ezynetic was informed of PDPC's preliminary decision, and the following day, it sought a waiver or reduction to the fine. The firm cited its financial commitment to mitigating the breach, its losses as a result of ongoing disruptions caused by the breach, and that it had cooperated with all regulatory bodies throughout the investigation.
However, PDPC rejected this, as Ezynetic's financial commitment was a 'necessary part of its obligation to implement reasonable security arrangement' under its protection obligation, and that Ezynetic's cooperativeness was already taken into account while determining the fine amount.
'Whilst (Ezynetic) did provide some invoices showing that it had incurred expenses to implement remedial measures, these did not show that (Ezynetic) is in such a dire financial situation that the imposition of a financial penalty of $17,500 would adversely impact its ability to continue its business,' said PDPC.
As a result, the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision. If it does not do so, interest will be accrued until the fine is paid in full.
The firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPC's decision, and has to report to the commission within 14 days of doing so.