IT vendor fined over data stolen from 190,000, sold on Dark Web
Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website.
At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.
Enzynetic's affected clients - previously identified as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters - would input personal data of their prospective loan applicants and borrowers into the money lending system.
This would allow them to verify the applicants' and borrowers' loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments.
In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic's system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals.
The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024.
PDPC, which was informed of the incident on June 26, 2024, said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account, which is often targeted by malicious users.
The account password at the time of the incident, which was p@ssword1 or Password@1, was susceptible to brute force attacks, wherein hackers repeatedly try to gain access to systems by trying different passwords.
Ezynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure, said the commission.
Following the incident, Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers, and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of Law.
PDPC's decision
Under the Personal Data Protection Act (PDPA), which Ezynetic was found to have breached, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks.
Its failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA; according to PDPC's checklists to guard against common types of data breaches, organisations should, as a basic practice, periodically conduct web application vulnerability scanning and assessments.
PDPC said that a fine was appropriate, as Ezynetic was a Software-as-a-Service provider, which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threats.
According to Microsoft's cloud computing platform Azure, Software-as-a-Service, or SaaS for short, is a cloud-based model where software applications are hosted by a service provider and accessed over the internet. SaaS providers manage the underlying infrastructure, security, maintenance, and updates.
Ezynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapore's Cyber Trustmark Certification for its new IT network and report to the Commission on its completion. Such marks certify good cyber-security practices, helping companies benchmark and show their preparedness to meet new risks,
On Dec 2, Ezynetic was informed of PDPC's preliminary decision, and the following day, it sought a waiver or reduction to the fine. The firm cited its financial commitment to mitigating the breach, its losses as a result of ongoing disruptions caused by the breach, and that it had cooperated with all regulatory bodies throughout the investigation.
However, PDPC rejected this, as Ezynetic's financial commitment was a "necessary part of its obligation to implement reasonable security arrangement" under its protection obligation, and that Ezynetic's cooperativeness was already taken into account while determining the fine amount.
"Whilst (Ezynetic) did provide some invoices showing that it had incurred expenses to implement remedial measures, these did not show that (Ezynetic) is in such a dire financial situation that the imposition of a financial penalty of $17,500 would adversely impact its ability to continue its business," said PDPC.
As a result, the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision. If it does not do so, interest will be accrued until the fine is paid in full.
The firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPC's decision, and has to report to the commission within 14 days of doing so.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Straits Times
2 days ago
- Straits Times
askST Jobs: Facing intrusive demands from your employer? Here's what you can do
Sign up now: Get ST's newsletters delivered to your inbox Employers must act fairly and reasonably under the Employment Act and according to Manpower Ministry guidelines. Journalist Megan Wee offers practical answers to candid questions on navigating workplace challenges and getting ahead in your career. Get more tips by signing up to The Straits Times' Headstart newsletter. Q: The recent saga over Certis Cisco's medical leave policy raised questions about the boundaries employers should not cross with regard to the privacy of staff. How can employees judge if a boss' requests are reasonable, and what can they do if faced with intrusive demands? A: While employers have the right to manage absenteeism and maintain operational readiness – particularly in critical sectors like security – employees are not without recourse, says Mr Raunak Bhandari of the Institute for Human Resource Professionals. Employers must act fairly and reasonably under the Employment Act and according to Manpower Ministry guidelines, he adds. Mr Bhandari cites Certis Cisco and its now-overturned medical leave policy , noting that while there is no law explicitly prohibiting an employer from checking on staff on medical leave, intrusive monitoring – such as home surveillance – could be seen as unreasonable, especially if it is not part of the employment contract. Bosses can also overstep by demanding access to personal social media accounts, expecting 24/7 availability without compensation or requiring tracking apps on personal phones, he adds. They might even ask for detailed medical histories beyond what is necessary and force attendance at work events during off-hours. 'While some of these may not be outright illegal, they may go against best practices and data protection norms, particularly under the Personal Data Protection Act,' Mr Bhandari says. He adds that employees facing unconventional or overly demanding practices that are not explicitly illegal can take several steps. They should first document the request and the context in which it was made, and then ask for written clarification from the human resources (HR) department or management. Employees should express their concerns politely, citing privacy, discomfort or ambiguity in the policy. They should also propose alternatives, such as providing a doctor's certificate or checking in with HR at set times. Staff worried about retaliation should try to stay compliant while seeking advice, but also make it clear that they are doing so under protest or uncertainty. They can also ask external sources for help and seek clarity on their rights if there are possible privacy violations. These sources could include union representatives, the Tripartite Alliance for Dispute Management for mediation, the Manpower Ministry for legal interpretation or complaints, or pro bono legal clinics. Ultimately, Mr Bhandari notes that intrusive policies can backfire and bring repercussions for both parties. Employees may feel distrusted, over-surveilled and pressured not to take medical leave even when unwell, undermining their recovery and overall well-being. The risk for bosses is that such practices may lead to reputational damage, legal disputes or reduced staff engagement. Moreover, such measures could create a slippery slope, where managers feel emboldened to monitor other aspects of an employee's personal life, further eroding boundaries between work and home, Mr Bhandari adds. 'Employees should stay informed of their rights and know when – and how – to push back against unreasonable demands,' he notes. 'Ultimately, a fair and respectful workplace depends on trust, transparency and mutual understanding.'
New Paper
3 days ago
- New Paper
IT vendor fined over data stolen from 190,000, sold on Dark Web
IT vendor Ezynetic has been fined $17,500 for failing to protect its clients' data, which resulted in more than 190,000 individuals' personal data being stolen and put for sale on the Dark Web. Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website. At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore. Enzynetic's affected clients - previously identified as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters - would input personal data of their prospective loan applicants and borrowers into the money lending system. This would allow them to verify the applicants' and borrowers' loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments. In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic's system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals. The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024. PDPC, which was informed of the incident on June 26, 2024, said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account, which is often targeted by malicious users. The account password at the time of the incident, which was p@ssword1 or Password@1, was susceptible to brute force attacks, wherein hackers repeatedly try to gain access to systems by trying different passwords. Ezynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure, said the commission. Following the incident, Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers, and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of Law. PDPC's decision Under the Personal Data Protection Act (PDPA), which Ezynetic was found to have breached, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks. Its failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA; according to PDPC's checklists to guard against common types of data breaches, organisations should, as a basic practice, periodically conduct web application vulnerability scanning and assessments. PDPC said that a fine was appropriate, as Ezynetic was a Software-as-a-Service provider, which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threats. According to Microsoft's cloud computing platform Azure, Software-as-a-Service, or SaaS for short, is a cloud-based model where software applications are hosted by a service provider and accessed over the internet. SaaS providers manage the underlying infrastructure, security, maintenance, and updates. Ezynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapore's Cyber Trustmark Certification for its new IT network and report to the Commission on its completion. Such marks certify good cyber-security practices, helping companies benchmark and show their preparedness to meet new risks, On Dec 2, Ezynetic was informed of PDPC's preliminary decision, and the following day, it sought a waiver or reduction to the fine. The firm cited its financial commitment to mitigating the breach, its losses as a result of ongoing disruptions caused by the breach, and that it had cooperated with all regulatory bodies throughout the investigation. However, PDPC rejected this, as Ezynetic's financial commitment was a "necessary part of its obligation to implement reasonable security arrangement" under its protection obligation, and that Ezynetic's cooperativeness was already taken into account while determining the fine amount. "Whilst (Ezynetic) did provide some invoices showing that it had incurred expenses to implement remedial measures, these did not show that (Ezynetic) is in such a dire financial situation that the imposition of a financial penalty of $17,500 would adversely impact its ability to continue its business," said PDPC. As a result, the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision. If it does not do so, interest will be accrued until the fine is paid in full. The firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPC's decision, and has to report to the commission within 14 days of doing so.
Straits Times
3 days ago
- Straits Times
Early start to heritage studies for Bukit Timah Turf City housing site is paying off
Sign up now: Get ST's newsletters delivered to your inbox SINGAPORE – A study published in 2021 found a swimming pool complex in the Old Police Academy at Mount Pleasant to be among the most significant in terms of heritage value, second to only a Senior Police Officers' Mess. The heritage study – meant to guide the development of the 33ha Mount Pleasant housing estate – said the complex was where trainees learnt swimming and life-saving skills, and police officers and their families spent their leisure time. Despite the findings, demolition work began on the complex within the past year, close to five decades after it was completed in 1976. Six buildings in Mount Pleasant have been conserved in all – four will be repurposed within the upcoming housing estate, while the other two, including the Senior Police Officers' Mess, are just outside of it. In contrast, 22 buildings are slated for conservation within an upcoming residential estate at the old 176ha Bukit Timah Turf City, including two grandstands that a separate heritage study identified as the site's most exceptional buildings. The differing outcomes for the two sites' most significant buildings can be explained largely by the timing of the two studies vis-a-vis planning and building works for the future estates. When the Old Police Academy study started in 2018, six buildings and ancillary structures had already been demolished after the Land Transport Authority began work on Mount Pleasant MRT station within the academy's compound in early 2015. Top stories Swipe. Select. Stay informed. Singapore Asean needs 'bolder reforms' to attract investments in more fragmented global economy: PM Wong Singapore CPF members can make housing, retirement and health insurance plans with new digital platform Singapore CPF's central philosophy of self-reliance remains as pertinent as ever: SM Lee Singapore Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined Asia Dalai Lama hopes to live beyond 130 years, much longer than predicted Singapore Tan Cheng Bock, Hazel Poa step down from PSP leadership; party launches 'renewal plan' Sport Liverpool will move on after Jota's tragic death, but he will never be forgotten Singapore Rock climbing fan suddenly could not jump, get up from squats The underground station's location – just next to the swimming pool complex – had been fixed since 2014, under the Urban Redevelopment Authority's (URA) masterplan. In comparison, heritage studies on the area near the two grandstands in Turf City were completed before the Government announced in September 2022 that a future MRT station will be located near the two stands . Work on the station site began only after Turf City closed in late 2023 , and the station's location was reflected for the first time in URA's plans on June 25, when the agency unveiled the Draft Master Plan 2025. The Turf City study was the first implemented under the Government's Heritage Impact Assessment (HIA) framework, which was announced in 2022 and for which the Old Police Academy study served as a pilot . The conservation of 22 buildings in the upcoming Turf City estate shows that the Government's move to start heritage studies sufficiently early in the planning process – and make decisions based on their findings – is paying off. Based on initial plans, future visitors to the North Grandstand – set to be part of a mixed-used development, along with the South Grandstand – could dine at the spectators' area, which overlooks a field and park. The south stand was completed in 1933, and the north stand in 1981. A former housing area for racecourse workers called Fairways Quarters, and the Bukit Timah Saddle Club Clubhouse, could be put to community use. An illustration of how the former Bukit Timah Saddle Club Clubhouse can be repurposed to form a new amenity node for future residents. PHOTO: URBAN REDEVELOPMENT AUTHORITY Under the HIA framework, large-scale public redevelopment projects impacting clusters of buildings and structures with potential heritage value are subject to studies by external consultants, who generally assess the heritage significance of a site, identify impacts that a proposed development project would have on it, and recommend strategies to mitigate the impact. The Turf City study was conducted by the National University of Singapore's (NUS) Department of Architecture and heritage consultant Purcell. Subsequently, more granular studies on 27 buildings and structures were done , before the decision to conserve 22 – a figure that pleasantly surprised heritage observers. Retaining this many buildings allows future residents of the estate to appreciate its history, and step into various spaces that the racecourse's visitors, senior leaders and workers once used. Founding chair of non-profit heritage group Docomomo Singapore Ho Weng Hin said the phased studies – from a broader study to more site-specific ones – meant that plans could be refined and adjusted. For instance, NUS professor Ho Puay Peng, who was involved in the HIA for Turf City, said minor tweaks were made to the design of the upcoming MRT station there so that the North Grandstand's facade would not be blocked. An artist's impression of Bukit Timah Turf City's North Grandstand in the future housing estate. PHOTO: URBAN REDEVELOPMENT AUTHORITY Deciding to keep the buildings is also just the start of a long process of ensuring that future users can meaningfully enjoy them. Planners and architects now have the task of making that happen. How will the greenery and openness of Fairways Quarters be preserved, with new high-rise housing blocks expected in the estate? Mr Ho of Docomomo Singapore suggested putting in place a conservation management plan to guide future developments in the sprawling estate and ensure the former racecourse's significance is retained. Another question is what planners and developers will decide to house within the two grandstands, which will be part of a neighbourhood that is envisioned as the estate's 'civic heart', with sports, recreational, commercial and community amenities. Building an integrated facility like Our Tampines Hub from scratch is relatively simple, but inserting new and varied uses into the purpose-built grandstands necessitates creativity. An artist's impression of how the former Fairways Quarters could be integrated in community node. PHOTO: URBAN REDEVELOPMENT AUTHORITY Conservation buildings should ultimately benefit the public, and URA's early plans are promising, with most of the 22 in sites that are likely to be publicly accessible. The agency has also said that it will commemorate and mark the original extent of Turf City's racetracks – an idea put forth by heritage groups. Considering the HIA framework's success in guiding the redevelopment of Bukit Timah Turf City thus far, the authorities should apply it to other large sites set for a makeover, such as Sembawang Shipyard and Paya Lebar Air Base. On this front, the Draft Master Plan 2025 exhibition shows that URA's planners already have one eye on the future. There are plans to integrate Paya Lebar's old airport structures and a section of the runway into a new town there, while repurposing a dry dock in Sembawang for sports and recreation has been mooted as a possibility. If treated like Turf City, the development of these towns will demonstrate Singapore's ability to meet future growth needs, while remaining grounded in its heritage.
