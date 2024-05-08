SINGAPORE - The software company at the centre of a hacking incident in April has been asked by the Ministry of Education (MOE) to appoint a forensic investigator to evaluate its systems and processes, and provide recommendations to prevent a recurrence.

Preliminary investigations by Mobile Guardian, which is headquartered in Surrey, Britain, show that an unauthorised individual had gained access to a support account on its management portal, using it to view information of customers based in the United States and Asia-Pacific region, including Singapore.

This affected about 67,000 parents and 22,000 school employees across 127 schools in Singapore, said Education Minister Chan Chun Sing in a written parliamentary reply on May 7.

He was responding to questions by MPs Don Wee (Chua Chu Kang GRC), Joan Pereira (Tanjong Pagar GRC) and Wan Rizal (Jalan Besar GRC) about MOE’s approach to ensuring the security and integrity of students’ personal learning devices, as well as measures to protect against online harm and data breaches.

The MPs raised concerns about the certification and training of IT vendors, response strategies for hacking incidents and governance policies for third-party service providers. They also asked about the ministry’s plans for enhancing transparency and communication with parents and the public regarding data security measures and breaches.

Investigations into Mobile Guardian’s systems are ongoing, and action will be taken if breaches of contractual obligations are found, said Mr Chan.

Mobile Guardian determined that the support account was compromised mainly due to inadequate password management, rather than the unauthorised individual exploiting vulnerabilities in its systems, he said.

The company had received an e-mail on April 12 that an unauthorised individual had gained access to its management portal, and was considered a phishing e-mail, Mr Chan said.

Mobile Guardian’s management portal is used for administrative purposes like providing technical support, and the portal has access to the name of the user, his or her e-mail address, time zone, school name, and whether a person is a parent or a staff member, Mr Chan said.

It is not able to change any configuration on the students’ personal learning devices, Mr Chan said, adding that none of MOE or government IT systems have been compromised as the portal is not connected to them.

However, he said, no action was taken until after a second e-mail was received on April 16, when the individual showed proof of accessing the management portal and tried to extort money in exchange for keeping quiet about his or her ability to access the portal.

“Mobile Guardian acted on the second alert, and worked to establish the extent of access and customers affected.

“This included suspending all administrative accounts that could be used to access MG’s management portal,” Mr Chan said.