NUSS website briefly offline after security irregularities, no data breach found

SINGAPORE - The website of the graduate club National University of Singapore Society was temporarily taken down for less than 24 hours from Jan 11 midday due to a security issue, The Straits Times has learnt.

In an e-mail sent to members of the society on the same day, NUSS said that there was no indication of any impact on members’ data.

The NUSS website primarily serves as an information and engagement platform, providing access to society updates, events, facilities, dining offerings, and publications.

In response to queries from ST, an NUSS spokesperson added that checks had been completed and there were no signs of any data breach or unauthorised access to members’ information.

“It came to our attention that there were irregularities affecting the NUSS website around midday on Jan 11,” said the NUSS spokesperson, adding that the website was taken offline to facilitate necessary checks and revisions.

The spokesperson added that the website was up again in the morning of Jan 12. Checks by ST found that the website was already online at around 10am on that day.

“The irregularities on the website involved hidden content that appeared to link to other pages for search engine optimisation (SEO) purposes,” said the NUSS spokesperson.

Cyber-security experts said that the website, which is hosted on content management platform Wordpress, appeared to have been compromised. Threat actors could have exploited vulnerable plugins and form inputs to inject malicious links.

Outdated plugins or themes are the number one cause of cyber incidents on Wordpress, said Mr Aaron Ang, vice-president of non-profit organisation Digital Defence Alliance Singapore.

Some examples of outdated plugins include old versions of contact forms, event tools or e-commerce add-ons.

Mr Ang said that the threat actors could be conducting an SEO spam campaign, which works by compromising legitimate websites to inject hidden links or pages that manipulate search rankings.

“Most SEO spam compromises are conducted by automated bots scanning the internet for known vulnerabilities, not targeted hacking,” he said.

He added that these campaigns usually aim to boost search rankings for illicit sites like gambling, fake products and phishing pages, and generally do not seek member data directly.

Privacy Ninja co-founder Andy Prakash said that the issue is still of concern even if there is no indication of data being exposed to threat actors.

“Such irregularities can still pose reputational risks, affect search engine trust, and signal weaknesses in website security controls. If left unaddressed, similar vulnerabilities could potentially be escalated to more serious attacks, including data exfiltration,” said Mr Prakash.

He said that website-level attacks are unfortunately common and relatively easy to carry out if systems are not regularly patched or monitored.

“As part of strengthening controls, organisations should also enforce secure web form practices such as strict input validation and sanitisation, ensure Wordpress plugins are kept fully up to date with unsupported or end-of-life plugins removed, and implement stronger access controls including multi-factor authentication and brute-force login protection,” said Mr Prakash.

In 2021, the NUSS website was the victim of a database attack. As a result, the personal data of 3,725 individuals were put up for sale on an internet forum. The data affected included names, NRIC numbers, and addresses.

It was found that a hacker had inserted malicious SQL (Structured Query Language, a language used to manage and query databases) code to access or steal data.

Then, the Personal Data Protection Commission required NUSS to sign an undertaking to put in place remediation measures like ensuring no personal data was stored on the webserver end, and to do penetration testing after all vulnerabilities were fixed.