Xinmin Secondary School students' NRIC numbers leaked on file sharing site Pastebin

The incident is the second known data breach by an MOE school since March 2015. ST FILE PHOTO

SINGAPORE - The NRIC numbers of hundreds of students at Xinmin Secondary School were leaked in the second known data breach by a Ministry of Education (MOE) school since March 2015.

The information was posted a few months ago on file-sharing website, but The Straits Times understands that it has since been taken off the site and a police report has been made.

Xinmin Secondary School's vice-principal Tan Kuo Cheang confirmed with ST on Saturday (Nov 18) that the school was alerted "to a data breach involving a leak of our students' personal information on" on Sept 28.

The school immediately contacted the website, asking for the information to be removed, and also filed a police report.

It then contacted its students to alert them of the leak and to share cyber security measures that they could take, such as avoiding using NRIC numbers as passwords.

Mr Tan declined to comment further as investigations are ongoing.

When contacted, a spokesman for MOE said: "In line with government IT security policies, MOE has stepped up efforts to work with schools and ensure that their security measures continue to be effective."

She added: "As investigations are ongoing, we are unable to share more."

In March 2015, the personal data of more than 1,900 pupils from Henry Park Primary School were exposed.

An Excel spreadsheet containing the children's particulars was mistakenly sent out to about 1,200 parents as part of an update about a school event. The file contained the names and birth certificate numbers of all 1,900 pupils in the school, and the names, phone numbers and e-mail addresses of their parents.

MOE schools such as Xinmin Secondary and Henry Park are exempted from the Personal Data Protection Act, fully enforced from July 2014. The Act requires organisations to take "reasonable measures" to protect personal data in their possession.

Instead, MOE schools are governed by public-sector rules, which have not been made public.

Technology lawyer Bryan Tan of Pinsent Masons MPillay said: "The Government said that its standards are more stringent than those that govern the private sector. But when a public incident like this happens, we can assess whether the first statement is true."

Lawyer Mr Koh Chia Ling from law firm OC Queen Street said that the students have no recourse. "Even if they do, it might be difficult for them to show any loss suffered from negligence or breach of contract," he said.

Join ST's Telegram channel and get the latest breaking news delivered to you.