Singapore Firm Fined for Data Breach Affecting 190,000
Compromised data was for sale on the Dark Web.
Singapore-based IT vendor Ezynetic faces a $17,500 fine for failing to adequately protect client data. Over 190,000 individuals had their personal information stolen and offered for sale on the Dark Web because of the breach.
Details of the Data Breach
The Personal Data Protection Commission (PDPC) determined that Ezynetic did not implement sufficient security measures to safeguard personal data under its control. The breach, discovered on June 24, 2024, involved an IT system linked to the Moneylenders Credit Bureau (MLCB) platform operated by Credit Bureau Singapore.
Affected clients included moneylenders such as **Ban King Credit**, **Credit 21**, **Lending Bee**, **Katong Credit**, **Credit Thirty3**, **GS Credit**, **1AP Capital**, **Creditmaster**, **BST Credit**, **U Credit**, **Horison Credit**, and **Credit Matters**. These lenders input personal data of prospective loan applicants into the system to verify eligibility and generate credit reports.
Investigations revealed that a threat actor exploited a vulnerability in a web service application. This exploit allowed unauthorized access to Ezynetic’s system administrator account and, subsequently, the money lending system. Compromised data included names, addresses, email addresses, telephone numbers, NRIC numbers, dates of birth, and financial information from MLCB credit reports.
The PDPC was notified of the incident on June 26, 2024. Its investigation found that Ezynetic failed to adequately secure the system administrator account, a common target for malicious actors.
The account’s password, either p@ssword1 or Password@1, was susceptible to brute force attacks. Ezynetic also did not conduct regular vulnerability assessments or penetration testing.
Company Response
Ezynetic rebuilt its entire network and migrated its servers to a cloud environment after the incident. The company also implemented enhanced security measures following consultations with the Cyber Security Agency of Singapore and the Ministry of Law.
PDPC’s Decision
The PDPC stated that the fine was appropriate because Ezynetic, as a Software-as-a-Service (SaaS) provider, should possess the technical expertise to implement reasonable cybersecurity measures. SaaS is a cloud-based model where software applications are hosted by a service provider and accessed via the internet.
In addition to the fine, Ezynetic must obtain Cyber Trustmark Certification for its new IT network and report its completion to the PDPC. These marks certify good cybersecurity practices.
Ezynetic sought a waiver or reduction of the fine, citing financial commitments to mitigating the breach and ongoing disruptions. However, the PDPC rejected this request, stating that the financial commitment was a necessary obligation and that cooperativeness had already been considered in determining the fine amount. Globally, the average cost of a data breach reached $4.45 million in 2023, highlighting the significant financial impact these incidents can have (IBM 2023).
Ezynetic must pay the fine within 30 days. Failure to do so will result in accrued interest. The firm must also obtain Cyber Trustmark Certification within nine months and report to the commission within 14 days of doing so.
