Credit reports among personal data of 190000 breached put for sale on Dark Web IT vendor fined The Straits Times
pChoose editionppSearchppsingaporeppasiappworldppopinionpplifeppbusinessppsportppVisualppPodcastsppSPH RewardsppSTClassifiedsppPaid press releasesppAdvertise with usppFAQsppContact usppFind out whats new on ST website and appppIT vendor Ezynetic was fined 17500 for failing to protect its clients datappPHOTO ST FILEppIan ChengppPublished Jul 05 2025 1100 PMppUpdated Jul 05 2025 1107 PMppSINGAPORE IT vendor Ezynetic has been fined 17500 for failing to protect its clients data which resulted in more than 190000 individuals personal data being stolen and put for sale on the Dark WebppEzynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control the Personal Data Protection Commission PDPC said on July 3 via a statement on its websiteppAt the time of the breach which Ezynetic uncovered on June 24 2024 the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau SingaporeppEnzynetics affected clients previously identified as moneylenders Ban King Credit Credit 21 Lending Bee Katong Credit Credit Thirty3 GS Credit 1AP Capital Creditmaster BST Credit U Credit Horison Credit and Credit Matters would input personal data of their prospective loan applicants and borrowers into the money lending systempppreviously identifiedppThis would allow them to verify the applicants and borrowers loan eligibility generate MLCB credit reports and profit and loss reports as well as track loans instalments collections and payments
ppIn a judgment the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetics system administrator account to access the money lending system After gaining access to the money lending system the threat actor obtained the personal data of the affected individualsppThe data stolen included a combination of the name address email address telephone number NRIC number date of birth and the financial information available in the MLCB credit reports of 190589 individuals These individuals were notified of the incident on July 1 2024ppPDPC which was informed of the incident on June 26 2024 said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account which is often targeted by malicious users ppThe account password at the time of the incident which was pssword1 or Password1 was susceptible to brute force attacks wherein hackers repeatedly try to gain access to systems by trying different passwordsppEzynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure said the commissionppFollowing the incident Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of LawppUnder the Personal Data Protection Act PDPA which Ezynetic was found to have breached organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access collection use disclosure copying modification or disposal or similar risksppIts failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA according to PDPCs checklists to guard against common types of data breaches organisations should as a basic practice periodically conduct web application vulnerability scanning and assessmentsppPDPC said that a fine was appropriate as Ezynetic was a SoftwareasaService provider which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threatsppAccording to Microsofts cloud computing platform Azure SoftwareasaService or SaaS for short is a cloudbased model where software applications are hosted by a service provider and accessed over the internet SaaS providers manage the underlying infrastructure security maintenance and updatesppEzynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapores Cyber Trustmark Certification for its new IT network and report to the Commission on its completion Such marks certify good cybersecurity practices helping companies benchmark and show their preparedness to meet new risksppgood cybersecurity practicesppOn Dec 2 Ezynetic was informed of PDPCs preliminary decision and the following day it sought a waiver or reduction to the fine The firm cited its financial commitment to mitigating the breach its losses as a result of ongoing disruptions caused by the breach and that it had cooperated with all regulatory bodies throughout the investigationppHowever PDPC rejected this as Ezynetics financial commitment was a necessary part of its obligation to implement reasonable security arrangement under its protection obligation and that Ezynetics cooperativeness was already taken into account while determining the fine amountppWhilst Ezynetic did provide some invoices showing that it had incurred expenses to implement remedial measures these did not show that Ezynetic is in such a dire financial situation that the imposition of a financial penalty of 17500 would adversely impact its ability to continue its business said PDPCppAs a result the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision If it does not do so interest will be accrued until the fine is paid in fullppThe firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPCs decision and has to report to the commission within 14 days of doing soppIan Cheng is a correspondent at The Straits Times covering breaking news and current affairsppEpaperppNewslettersppPodcastsppRSS FeedppAbout UsppTerms ConditionsppPrivacy PolicyppNeed help Reach us hereppAdvertise with usppppp
ppIn a judgment the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetics system administrator account to access the money lending system After gaining access to the money lending system the threat actor obtained the personal data of the affected individualsppThe data stolen included a combination of the name address email address telephone number NRIC number date of birth and the financial information available in the MLCB credit reports of 190589 individuals These individuals were notified of the incident on July 1 2024ppPDPC which was informed of the incident on June 26 2024 said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account which is often targeted by malicious users ppThe account password at the time of the incident which was pssword1 or Password1 was susceptible to brute force attacks wherein hackers repeatedly try to gain access to systems by trying different passwordsppEzynetic was also found not to have performed any periodic vulnerability assessment or penetration testing of its infrastructure said the commissionppFollowing the incident Ezynetic rebuilt its entire network and migrated to a cloud environment for its servers and implemented enhanced security measures for the new network after consultations with the Cyber Security Agency of Singapore and the Ministry of LawppUnder the Personal Data Protection Act PDPA which Ezynetic was found to have breached organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access collection use disclosure copying modification or disposal or similar risksppIts failure to conduct a reasonable periodic security review also amounted to a breach of the PDPA according to PDPCs checklists to guard against common types of data breaches organisations should as a basic practice periodically conduct web application vulnerability scanning and assessmentsppPDPC said that a fine was appropriate as Ezynetic was a SoftwareasaService provider which should possess the necessary technical expertise to implement reasonable cyber security measures to address the evolving threatsppAccording to Microsofts cloud computing platform Azure SoftwareasaService or SaaS for short is a cloudbased model where software applications are hosted by a service provider and accessed over the internet SaaS providers manage the underlying infrastructure security maintenance and updatesppEzynetic was also directed by the PDPC to obtain Cyber Security Agency of Singapores Cyber Trustmark Certification for its new IT network and report to the Commission on its completion Such marks certify good cybersecurity practices helping companies benchmark and show their preparedness to meet new risksppgood cybersecurity practicesppOn Dec 2 Ezynetic was informed of PDPCs preliminary decision and the following day it sought a waiver or reduction to the fine The firm cited its financial commitment to mitigating the breach its losses as a result of ongoing disruptions caused by the breach and that it had cooperated with all regulatory bodies throughout the investigationppHowever PDPC rejected this as Ezynetics financial commitment was a necessary part of its obligation to implement reasonable security arrangement under its protection obligation and that Ezynetics cooperativeness was already taken into account while determining the fine amountppWhilst Ezynetic did provide some invoices showing that it had incurred expenses to implement remedial measures these did not show that Ezynetic is in such a dire financial situation that the imposition of a financial penalty of 17500 would adversely impact its ability to continue its business said PDPCppAs a result the PDPC said Ezynetic was required to pay the fine within 30 days of from the date of the relevant notice accompanying its decision If it does not do so interest will be accrued until the fine is paid in fullppThe firm will also be required to obtain Cyber Trustmark Certification for its new IT network within 9 months from the date of PDPCs decision and has to report to the commission within 14 days of doing soppIan Cheng is a correspondent at The Straits Times covering breaking news and current affairsppEpaperppNewslettersppPodcastsppRSS FeedppAbout UsppTerms ConditionsppPrivacy PolicyppNeed help Reach us hereppAdvertise with usppppp
