MOE requests forensic investigation after data breach affecting 89,000 parents and school staff

SINGAPORE — The software company at the centre of a hacking incident in April has been asked by the Ministry of Education (MOE) to appoint a forensic investigator to evaluate its systems and processes, and provide recommendations to prevent a recurrence.

Preliminary investigations by Mobile Guardian, which is headquartered in Surrey, UK, show that an unauthorised individual had gained access to a support account on its management portal, using it to view information of customers based in the United States and Asia-Pacific region, including Singapore. 

This affected about 67,000 parents and 22,000 school employees across 127 schools in Singapore, said Education Minister Chan Chun Sing in a written parliamentary reply on May 7. 

He was responding to questions by MPs Don Wee (Chua Chu Kang GRC), Joan Pereira (Tanjong Pagar GRC) and Wan Rizal (Jalan Besar GRC) about MOE's approach to ensuring the security and integrity of students' personal learning devices, as well as measures to protect against online harm and data breaches. 

The MPs raised concerns about the certification and training of IT vendors, response strategies for hacking incidents and governance policies for third-party service providers. They also asked about the ministry's plans for enhancing transparency and communication with parents and the public regarding data security measures and breaches.

Investigations into Mobile Guardian's systems are ongoing, and action will be taken if breaches of contractual obligations are found, said Chan. 

Mobile Guardian determined that the support account was compromised mainly due to inadequate password management, rather than the unauthorised individual exploiting vulnerabilities in its systems, he said. 

The company had received an e-mail on April 12 that an unauthorised individual had gained access to its management portal, and was considered a phishing e-mail, Chan said. 

Mobile Guardian's management portal is used for administrative purposes like providing technical support, and the portal has access to the name of the user, his or her e-mail address, time zone, school name, and whether a person is a parent or a staff member, Chan said.

It is not able to change any configuration on the students' personal learning devices, Chan said, adding that none of MOE or government IT systems have been compromised as the portal is not connected to them. 

However, he said, no action was taken until after a second e-mail was received on April 16, when the individual showed proof of accessing the management portal and tried to extort money in exchange for keeping quiet about his or her ability to access the portal. 

"Mobile Guardian acted on the second alert, and worked to establish the extent of access and customers affected. 

"This included suspending all administrative accounts that could be used to access MG's management portal," Chan said. 

[[nid:667396]]

The ministry was notified on April 17 about the hacking incident, as well as the security measures implemented by Mobile Guardian on its management portal, he said. 

With the support of the Cyber Security Agency and GovTech, MOE conducted security checks and did not find any suspicious activity on its Device Management Application (DMA) portal, as well as no indication that the portal had been compromised. 

On April 19, the ministry sent e-mails to all users affected to explain what the leaked information could be used for in the event that phishing or scam attempts were made, Chan said. 

These users comprise parents and school employees who manage the DMA functions of their children and students. 

A police report has also been lodged over the incident, said Chan. 

"MOE takes a serious view of this incident," he said. "Our IT service providers are contractually obligated to take measures to protect personal data against loss and unauthorised access." 

Chan added that the ministry expressed "deep dissatisfaction" with Mobile Guardian over this incident, and will continue to safeguard IT systems by conducting independent audits and regular cyber-security testing. 

"We will continue to place emphasis on user education and ongoing vigilance to ensure that our IT systems remain secure," he said. 

Mobile Guardian is one of two companies that MOE engages to provide DMA solutions which help schools and parents manage students' use of their personal learning devices with functions like screen time limits. 

The tender was awarded to Mobile Guardian in 2020, who holds the ISO27001 certification, an internationally recognised standard for information security management systems, Chan said. 

ALSO READ: Poh Heng Jewellery says customer information accessed in data breach, no payment card information compromised

This article was first published in The Straits Times. Permission required for reproduction.

Disclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.