MOE requests forensic investigation after data breach
The software company at the centre of a hacking incident in April has been asked by the Ministry of Education (MOE) to appoint a forensic investigator to evaluate its systems and processes, and provide recommendations to prevent a recurrence.
Preliminary investigations by Mobile Guardian, which is headquartered in Surrey, Britain, show that an unauthorised individual had gained access to a support account on its management portal, using it to view information of customers based in the United States and Asia Pacific region, including Singapore.
This affected about 67,000 parents and 22,000 school employees across 127 schools in Singapore, said Education Minister Chan Chun Sing in a written parliamentary reply on May 7.
He was responding to questions by MPs Mr Don Wee, Ms Joan Pereira and Dr Wan Rizal about MOE’s approach to ensuring the security and integrity of students’ personal learning devices, as well as measures to protect against online harm and data breaches.
The MPs raised concerns about the certification and training of IT vendors, response strategies for hacking incidents and governance policies for third-party service providers. They also asked about the ministry’s plans for enhancing transparency and communication regarding data security measures and breaches with parents and the public.
Investigations into Mobile Guardian’s systems are ongoing, and action will be taken if breaches of contractual obligations are found, said Mr Chan.
Mobile Guardian determined that the compromised support account was mainly due to inadequate password management, rather than the unauthorised individual exploiting vulnerabilities in its systems, he said.
The company had received an e-mail on April 12 that an unauthorised individual had gained access to its management portal, and was considered a phishing e-mail, Mr Chan said.
Mobile Guardian’s management portal is used for administrative purposes like providing technical support, and the portal has access to the name of the user, his or her e-mail address, time zone, school name, and whether a person is a parent or a staff member, Mr Chan said.
It is not able to change any configuration on the students’ personal learning devices, Mr Chan said, adding that none of MOE or government IT systems have been compromised as the portal is not connected to them.
However, no action was taken until a second email was received on April 16, he said, when the individual showed proof of accessing the management portal and tried to extort money in exchange for keeping quiet about his or her ability to access the portal, that action was taken.
“Mobile Guardian acted on the second alert, and worked to establish the extent of access and customers affected.
“This included suspending all administrative accounts that could be used to access MG’s management portal,” Mr Chan said.
The ministry was notified on April 17 about the hacking incident, as well as the security measures implemented by Mobile Guardian on its management portal, he said.
With the support of the Cyber Security Agency and GovTech, MOE conducted security checks and did not find any suspicious activity on its Device Management Application (DMA) portal, as well as no indication that the portal had been compromised.
On April 19, the ministry sent e-mails to all users affected to explain what the leaked information could be used for in the event that phishing or scam attempts were made, Mr Chan said.
These users comprise parents and school employees who manage the DMA functions of their children and students.
A police report has also been lodged on the incident, said Mr Chan.
“MOE takes a serious view of this incident,” he said. “Our IT service providers are contractually obligated to take measures to protect personal data against loss and unauthorised access.”
Mr Chan added that the ministry expressed “deep dissatisfaction” with Mobile Guardian over this incident, and will continue to safeguard IT systems by conducting independent audits and regular cybersecurity testing.
“We will continue to place emphasis on user education and ongoing vigilance to ensure that our IT systems remain secure,” he said.
Mobile Guardian is one of two companies that MOE uses to provide DMA solutions on students’ personal learning device, which help schools and parents manage students’ device use with functions like screen time limits.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now