SINGAPORE - The personal data of about 30,000 people who have used the services of the National Trades Union Congress' Employment and Employability Institute (e2i) may have been accessed by cyber criminals.
The crooks may have had unauthorised access to people's names, educational qualifications and NRIC, contact and employment details, according to a statement by e2i on Monday (April 5).
e2i provides skills training and job matching services for workers.
The institute said that it was alerted to a data incident on March 12 in which a malware had infected the mailbox of an employee of an e2i-appointed third party vendor, contact centre services firm i-vic International.
The malware is often distributed through spam e-mail and is able to hinder analysis and evade detection.
The affected mailbox contained the personal data of about 30,000 people who had participated in e2i events, used the institute's services, or both, from November 2018 to March 12 this year. They included people who attended a job fair, employability workshop or went for career coaching.
For now, there is no evidence that there is any misuse or leak of the data or that e2i's IT system has been compromised, the institute said.
It declined to say how many people use e2i's services in total, "out of confidentiality for our job seekers".
e2i has reported the data breach to the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore's Singapore Computer Emergency Response Team (SingCert).
i-vic International also filed a police report on the incident on March 22.
PDPC said it is aware of the incident and is investigating, while the police are looking into the matter.
On why the incident was not made known earlier, e2i said that "given the complexity of the investigations, it has taken time to make an impact assessment".
"We have worked with the utmost urgency with the vendor to ascertain the nature and extent of personal data that has been potentially affected," it added.
The incident comes on the back of several cyber-security attacks affecting third-party vendors.
In December last year, it was revealed that IT management software provider SolarWinds was targeted by hackers. About 18,000 customers of the Texas-based firm were hit, including American tech giants Microsoft and FireEye.
In the same month, a file-sharing system provided by United States cloud-sharing company Accellion was targeted by a cyber attack, affecting customers globally, including Singapore's largest telco, Singtel. About 129,000 Singtel users' data was stolen in the breach.
Then in March, it was reported that about 380 computer servers run by organisations in Singapore are at risk from a massive global hack of the widely used Microsoft Exchange e-mail server software.
Singapore's Government announced last month that organisations running the country's critical information infrastructure, such as telecommunications networks and public transport systems, will be asked to better manage their vendors' cyber-security risks.
As for the latest data breach, e2i and i-vic International have taken measures to tighten the security of e-mail and network systems, and are also doing checks to monitor any potential vulnerabilities.
They are contacting potentially affected people through e-mail, SMS and phone calls to alert them about the incident and to provide them support on how to manage the potential risks involved.
e2i said those affected by the data breach should be vigilant for any suspicious activities or requests, as well as for phishing attempts and any suspicious activities or requests.
It said the scammer in the incident could have unauthorised access to people's personal data and may contact them by pretending to be from e2i. But it will be clear that any "e2i" e-mail from the crook is fake because it does not end with @e2i.com.sg
Those who receive a suspicious e-mail, or suspect they have been targeted by a scam, can contact e2i at 6713 -5779.
They can also file an online report with SingCert at this link.
Mr Gilbert Tan, e2i's chief executive officer, said: "We are deeply sorry for the anxiety this data incident may bring to our clients. The protection of our clients' personal data is of utmost importance to us."
He added that the malware did not target e2i directly but it is checking its IT systems, as well as that of its vendor.
e2i will also review the cyber-security standards of its vendors to prevent a recurrence of the incident.
"Amid all these measures, I would like to assure that e2i's operations, services and systems remain unaffected and job seekers can continue to seek employment and employability assistance with e2i," said Mr Tan.
For people who suspect their personal data has been illegally accessed, e2i has the following advice:
- Do not use your personal information in your password and change your passwords regularly.
- Set your password in a way that makes it very hard for people to associate it with you, such as using one made up of alphanumeric characters and symbols.
- Stay vigilant against phishing attempts and monitor for any suspicious activity.
- Do not share your one-time password with anyone, even family members. e2i will never ask you to disclose your password.
Facebook data leak hits 3m Singapore users
Separately, SingCert sent an alert on Monday evening regarding reports that more than 533 million Facebook users' data was recently leaked online, including three million users based in Singapore.
The leaked information comprises mainly of a Facebook user's mobile number, profile name, profile ID and location. Some users' data, like a person's date of birth and e-mail address, was also included.
Facebook clarified that the vulnerability linked to the leak had been patched by the company in August 2019.
But SingCert said users should still watch out for possible phishing campaigns arising from the leak.
Cyber criminals may use the leaked information to conduct phishing and other social engineering attacks.
"Facebook users should remain vigilant and look out for unsolicited phone calls and messages sent over SMS and instant messaging applications such as WhatsApp," said SingCert.
Crooks with resources may also use caller-ID spoofing technology to impersonate the Facebook user and conduct further attacks.
For instance, they could use the Facebook user's contact details to order goods and services, or make purchases under his name.
They might also pretend to be the Facebook user to send malicious links, request for money transfers, or ask for OTPs to compromise the accounts of the user's contacts.
SingCert advised the public to practise good cyber hygiene habits to help limit the impact of such data leaks, such as not reusing the same password on different online accounts, and enabling two-factor authentication where available.