IT vendor Ezynetic has been penalized with a $17,500 fine by the Personal Data Protection Commission (PDPC) due to a significant data breach. This lapse in security led to the theft of personal data belonging to more than 190,000 individuals, which subsequently appeared for sale on the Dark Web. Ezynetic’s failure stemmed from its inability to establish reasonable security protocols for the personal data it held or controlled, as highlighted by the PDPC’s investigation. The incident, discovered on June 24, 2024, involved an IT system connected to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore, where Ezynetic’s moneylender clients would input sensitive loan applicant data.
The investigation revealed that a threat actor exploited a vulnerable web service application to gain access to Ezynetic’s system administrator account, subsequently infiltrating the money lending system. This unauthorized access allowed the perpetrator to steal a combination of personal details, including names, addresses, email addresses, phone numbers, NRIC numbers, dates of birth, and financial information from MLCB credit reports. The PDPC determined that Ezynetic failed to disable or adequately secure this administrator account, which notably had a weak password like “p@ssword1” or “Password@1,” making it susceptible to brute force attacks. Furthermore, Ezynetic had not conducted any periodic vulnerability assessments or penetration testing of its infrastructure.
In the aftermath of the breach, Ezynetic took steps to rectify the situation by rebuilding its entire network, migrating to a cloud environment, and implementing enhanced security measures.
After consulting with the Cyber Security Agency of Singapore and the Ministry of Law. The PDPC’s decision to fine Ezynetic was based on its breach of the Personal Data Protection Act (PDPA), which mandates organizations to implement reasonable security arrangements to prevent unauthorized data access and other risks. As a Software-as-a-Service (SaaS) provider, Ezynetic was expected to possess the necessary technical expertise to address evolving cybersecurity threats.
Despite Ezynetic’s request for a waiver or reduction of the fine, citing financial commitments to mitigation and cooperation with regulatory bodies, the PDPC rejected it. The commission stated that the financial commitment was a necessary part of Ezynetic’s obligation to implement reasonable security, and its cooperativeness had already been factored into the initial fine amount. The PDPC also noted that Ezynetic had not demonstrated a dire financial situation that would be adversely impacted by the $17,500 penalty, ultimately upholding the fine to emphasize the importance of robust data protection practices.
Reference:
