Ezynetic Fined for Major Data Breach: A Closer Look
Overview of the Incident
In a significant ruling, Singapore’s IT vendor, Ezynetic, has been penalized with a fine of $17,500 due to serious lapses in its data protection protocols. This breach, which compromised the personal information of over 190,000 individuals, has raised critical discussions on the importance of cybersecurity in the digital era.
Details of the Breach
According to a statement released by the Personal Data Protection Commission (PDPC) on July 3, the breach occurred when Ezynetic’s security measures failed to adequately safeguard sensitive personal data. The incident came to light on June 24, 2024, primarily affecting clients associated with the Moneylenders Credit Bureau (MLCB), managed by Credit Bureau Singapore.
The companies impacted include well-known moneylenders such as Ban King Credit, Credit 21, and U Credit. These businesses use the MLCB platform to input personal details of loan applicants, enabling them to perform critical tasks like eligibility verification and tracking financial transactions.
Method of Attack
Investigations revealed that a threat actor successfully exploited a vulnerability within Ezynetic’s web service application. By gaining unauthorized access to the system administrator account, the individual was able to harvest a wealth of sensitive information, including names, addresses, and National Registration Identity Card (NRIC) numbers of 190,589 clients. This personal data was later discovered for sale on the Dark Web.
The PDPC highlighted that Ezynetic had left its system administrator account inadequately secured, allowing malicious users to target it easily. Crucially, the account’s password—p@ssword1 or Password@1—was weak and vulnerable to brute force attacks, where hackers methodically attempt various passwords to gain entry.
Compliance Failures
The commission’s findings indicated that Ezynetic had not undertaken necessary cybersecurity practices, such as regular vulnerability assessments or penetration testing. Such measures are vital in identifying weaknesses and fortifying defenses against potential threats.
Under the Personal Data Protection Act (PDPA), organizations like Ezynetic are mandated to take reasonable steps to secure personal data, preventing unauthorized access and breaches. The company’s failure to perform periodic security reviews contributed to its violation of these regulations.
Remedial Actions Post-Breach
Following the breach, Ezynetic acted swiftly to rectify its IT infrastructure. The firm undertook a comprehensive rebuild of its entire network and migrated its servers to a cloud environment. Enhanced security measures were implemented in consultation with the Cyber Security Agency of Singapore and the Ministry of Law.
Additionally, the PDPC has mandated Ezynetic to obtain the Cyber Trustmark Certification for its new network within a stipulated time frame. This certification underscores a commitment to good cybersecurity practices, serving as a benchmark for the firm to mitigate future risks.
Response to the Fine
After learning of the PDPC’s preliminary decision on December 2, Ezynetic sought a waiver or reduction of the imposed fine, citing its financial burden in addressing the breach and ongoing operational disruptions. However, the PDPC dismissed this request, stating that the company’s financial commitments were anticipated as part of its obligations under the PDPA.
The commission also noted that the evidence provided did not demonstrate an immediate financial crisis that would adversely affect Ezynetic’s operations due to the fine.
Looking Ahead
Ezynetic is required to pay the fine within 30 days of the PDPC’s decision date. Failure to comply will result in accruing interest until the penalty is settled. Furthermore, the company must report its completion of the Cyber Trustmark Certification within 14 days of achieving it.
This incident serves as a potent reminder for businesses to prioritize data protection measures and remain vigilant against the evolving landscape of cybersecurity threats. By taking significant steps to enhance security protocols, companies can better protect their clients and maintain trust in the increasingly digital global economy.
