In Singapore, IT vendor Ezynetic has received a $17,500 fine for inadequate protection of client data, leading to the theft and subsequent sale of personal information belonging to over 190,000 individuals on the Dark Web. The Personal Data Protection Commission (PDPC) announced this penalty on July 3.
The commission’s investigation revealed that Ezynetic had not implemented sufficient security measures to safeguard the personal data it managed. This breach, identified on June 24, 2024, involved vulnerabilities in an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.
The affected clients included licensed moneylenders such as Ban King Credit and Lending Bee, who relied on the system to handle sensitive information from applicants and borrowers. This data included names, addresses, email addresses, telephone numbers, NRIC numbers, and financial details, which the attackers exploited once they gained unauthorized access to the lending system.
Investigators determined that the breach occurred through a compromised web service application, allowing a malicious actor to gain control over Ezynetic’s system administrator account. This access facilitated the extraction of personal data. Notably, the compromised account’s password was deemed weak and vulnerable to brute force attacks, highlighting Ezynetic’s failure to implement even basic cybersecurity practices.
The PDPC notified Ezynetic of the incident on June 26, 2024, and discovered that the company had not conducted periodic vulnerability assessments or penetration tests, contributing to its inability to prevent the breach. The commission emphasized that under the Personal Data Protection Act (PDPA), organizations are required to adopt reasonable security arrangements to protect personal data from unauthorized access and damage.
In response to the incident, Ezynetic initiated a complete overhaul of its network infrastructure, transitioning to a cloud environment and enhancing security protocols with guidance from the Cyber Security Agency of Singapore and the Ministry of Law. The organization was also mandated by the PDPC to obtain Cyber Trustmark Certification for its new network within nine months.
Following the announcement of the fine, Ezynetic sought a waiver or reduction, citing financial burdens due to disruption from the breach and cooperation during the investigation. However, the PDPC dismissed this request, clarifying that financial expenditure on remedial measures is part of an organization’s obligation under the PDPA. The commission underscored that Ezynetic had not demonstrated a financial situation that warranted leniency on the imposed penalty.
By failing to conduct a thorough security review and lacking proper safeguards, Ezynetic exposed itself to significant risks, aligning with the MITRE ATT&CK framework’s focus on initial access and privilege escalation tactics frequently leveraged by threat actors. The PDPC’s findings serve as a crucial reminder for organizations, particularly those in the SaaS landscape, to prioritize cybersecurity and adhere to established data protection standards.
Ezynetic is required to pay the fine within 30 days of PDPC’s notice, with accrued interest applicable for any delay. The scrutiny surrounding this breach underscores the critical need for robust cybersecurity strategies amongst service providers and serves as a cautionary tale for businesses aiming to fortify their defenses against evolving cyber threats.
