Data of 30,000 who used NTUC's e2i services feared breached

Third-party vendor's mailbox infected by malware; no evidence so far that data has been misused

Kenny Chee
Senior Tech Correspondent
Updated
Apr 06, 2021, 05:00 AM
Published
Apr 06, 2021, 05:00 AM

The personal data of about 30,000 people who have used the services of the National Trades Union Congress' (NTUC) Employment and Employability Institute (e2i) may have been accessed by cyber criminals.

The crooks may have had unauthorised access to people's names, educational qualifications, NRIC numbers and contact and employment details, according to a statement by e2i yesterday.

The institute provides skills training and job matching services.

It said it was alerted to an incident on March 12 in which malware - often distributed via spam e-mail - had infected the mailbox of an employee of an e2i-appointed third-party vendor, contact centre services company i-vic International.

The affected mailbox had the personal data of about 30,000 people who had participated in e2i events, used the institute's services, or both, from November 2018 to March 12 this year. They included people who had attended a job fair or employability workshop, or who had gone for career coaching.

For now, there is no evidence that the data has been misused or leaked, said e2i.

The institute has reported the breach to the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore's Singapore Computer Emergency Response Team (SingCert), while i-vic International made a police report on March 22.

The PDPC is investigating, while the police are looking into the matter.

On why the incident was not made known earlier, e2i said that "given the complexity of the investigations, it has taken time to make an impact assessment".

The breach comes after recent attacks affecting third-party vendors, such as reports last December that information technology management software provider SolarWinds was targeted by hackers, with about 18,000 customers hit globally.

The Government announced last month that organisations running Singapore's critical information infrastructure, such as telecommunications networks and public transport systems, will be asked to better manage their vendors' cyber-security risks.

In response to the data breach, e2i and i-vic International have taken measures to tighten the security of their e-mail and network systems, and are doing checks to monitor any potential vulnerabilities.

They are contacting potentially affected people through e-mail, SMS and calls to alert them to the incident and provide support.

Those affected should be vigilant against suspicious activities or requests, as well as phishing attempts by cyber criminals to steal sensitive information by impersonating a legitimate organisation, said e2i.

Those who receive a suspicious e-mail, or suspect they have been targeted by a scam, can ring e2i on 6713-5779. They can also file an online report with SingCert.

Mr Gilbert Tan, e2i's chief executive, said the malware did not target e2i directly, but it is checking its IT systems and those of its vendor. He assured the public "that e2i's operations, services and systems remain unaffected, and job seekers can continue to seek employment and employability assistance with e2i".

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on April 06, 2021, with the headline Data of 30,000 who used NTUC's e2i services feared breached. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top