from straitstimes.com:
MOE requests forensic investigation after data breach affecting 89,000 parents, school employees
Mobile Guardian is one of two companies that MOE uses to provide DMA solutions on students’ personal learning devices. ST PHOTO: KUA CHEE SIONG
Gabrielle Chan
UPDATED
MAY 08, 2024, 10:03 PM
FacebookTelegram
SINGAPORE - The software company at the centre of
a hacking incident in April has been asked by the Ministry of Education (MOE) to appoint a forensic investigator to evaluate its systems and processes, and provide recommendations to prevent a recurrence.
Preliminary investigations by Mobile Guardian, which is headquartered in Surrey, Britain, show that an unauthorised individual had gained access to a support account on its management portal, using it to view information of customers based in the United States and Asia-Pacific region, including Singapore.
This affected about 67,000 parents and 22,000 school employees across 127 schools in Singapore, said Education Minister Chan Chun Sing in a written parliamentary reply on May 7.
He was responding to questions by Mr Don Wee (Chua Chu Kang GRC), Ms Joan Pereira (Tanjong Pagar GRC) and Dr Wan Rizal (Jalan Besar GRC) on MOE’s approach to ensuring the security and integrity of students’ personal learning devices, as well as measures to protect against online harm and data breaches.
The MPs raised concerns about the certification and training of IT vendors, response strategies for hacking incidents and governance policies for third-party service providers. They also asked about the ministry’s plans for enhancing transparency and communication with parents and the public regarding data security measures and breaches.
Investigations into Mobile Guardian’s systems are ongoing, and action will be taken if breaches of contractual obligations are found, said Mr Chan.
Mobile Guardian determined that the support account was compromised mainly due to inadequate password management, rather than the unauthorised individual exploiting vulnerabilities in its systems, he said.
The company had received an e-mail on April 12 that an unauthorised individual had gained access to its management portal, and this was considered a phishing e-mail, he said.
Mobile Guardian’s management portal is used for administrative purposes like providing technical support, and the portal has access to the name of the user, his or her e-mail address, time zone, school name and whether a person is a parent or a staff member, he said.
It is not able to change any configuration on the students’ personal learning devices, Mr Chan said, adding that none of the MOE or government IT systems has been compromised as the portal is not connected to them.
However, he said, no action was taken until after a second e-mail was received on April 16, when the individual showed proof of accessing the management portal and tried to extort money in exchange for keeping quiet about his or her ability to access the portal.
“Mobile Guardian acted on the second alert, and worked to establish the extent of access and customers affected.
“This included suspending all administrative accounts that could be used to access MG’s management portal,” Mr Chan said.
The ministry was notified on April 17 about the hacking incident, as well as the security measures implemented by Mobile Guardian on its management portal, he said.
With the support of the Cyber Security Agency of Singapore and Government Technology Agency (GovTech), MOE conducted security checks and did not find any suspicious activity on its device management application (DMA) portal, nor any indication that the portal had been compromised.
On April 19, the ministry sent e-mails to all users affected to explain what the leaked information could be used for in the event that phishing or scam attempts were made, he said.
These users comprise parents and school employees who manage the DMA functions of their children and students.
A police report has been lodged over the incident, said Mr Chan.
“MOE takes a serious view of this incident,” he said. “Our IT service providers are contractually obligated to take measures to protect personal data against loss and unauthorised access.”
He added that the ministry expressed “deep dissatisfaction” with Mobile Guardian over this incident and will continue to safeguard IT systems by conducting independent audits and regular cyber-security testing.
“We will continue to place emphasis on user education and ongoing vigilance to ensure that our IT systems remain secure,” he said.
Mobile Guardian is one of two companies that MOE engages to provide DMA solutions which help schools and parents manage students’ use of their personal learning devices with functions like screen time limits. The tender was awarded in 2020 to Mobile Guardian, which holds the ISO27001 certification, an internationally recognised standard for information security management systems, Mr Chan said.