Assoc Prof Jamus Jerome Lim asked the Minister for Education (a) whether the Ministry has been informed of any identifiable lapses in data security practices that resulted in the breach of Mobile Guardian’s user management portal that affected 127 schools; (b) whether there are more schools, than the reported 127 schools, that utilise the application; (c) how many parents and students were affected in total; and (d) what actions will the Ministry pursue to hold the external data vendor, and others providing such services, accountable.
Mr Chan Chun Sing: This response addresses Parliamentary Questions for Oral Answer Nos 25 to 27 and Questions for Written Answer Nos 28 to 31, filed for 7 May 2024 Parliament Sitting.
Members have asked the Ministry of Education (MOE) about the data breach incident caused by unauthorised access to Mobile Guardian’s management portal, how MOE has supported affected parties and the steps MOE has taken since the incident.
Let me first provide some information on Mobile Guardian (MG). MG, is one of two companies engaged by MOE to provide Device Management Application (DMA) solutions on Personal Learning Devices used by students. The DMA helps schools and parents manage students’ device use. For example, parents can use the DMA to set screen time limits on their child’s personal learning device.
The use of MG’s DMA for Chromebooks and iPads was decided through an open tender in 2020. The company holds the ISO27001 certification, an internationally recognised standard for information security management systems and is engaged by over 2,500 schools in over 50 countries worldwide.
Let me now talk about MG’s management portal, which experienced an incident of unauthorised access. The management portal is used for administrative purposes, such as account licensing and providing technical support. The management portal has access to the following information: name of user; email address; time zone; school name; and the user role – that is, whether the user is a parent or school staff.
MG’s management portal does not have the ability to change any configuration on students’ personal learning devices. It is also not connected to any MOE or Government IT systems. Hence, MOE and Government IT systems have not been compromised.
On 12 April, MG received an email that an unauthorised individual had gained access to MG’s management portal. This email was considered a phishing email, until MG received a subsequent email on 16 April. In the second email, the individual showed evidence of access to MG’s management portal and attempted to solicit money in exchange for keeping silent that the individual had been able to access MG’s management portal. MG acted on this second alert and worked to establish the extent of access and customers affected. This included suspending all administrative accounts that could be used to access MG’s management portal.
MOE was notified by MG on 17 April late night of this incident, as well as the enhanced security measures implemented by MG on its management portal. MOE learned from MG’s preliminary investigations that an unauthorised individual had gained access to a support account on MG’s management portal. MG’s assessment was that the unauthorised individual could have used the compromised account to view the information of customers based in the United States and the Asia Pacific region, including Singapore.
The Cyber Security Agency and GovTech supported MOE in the investigation of the incident.
MG had assessed that the compromised support account was primarily attributed to poor password management practice and not the result of the unauthorised individual exploiting vulnerabilities in MG’s systems. Nevertheless, MOE conducted security checks and found no suspicious activity on MOE’s DMA portal nor any indications that MOE’s DMA had been compromised.
As a proactive measure, MOE decided to communicate with all users whose names and email addresses can be accessed by the MG management portal. These comprised about 67,000 parents and 22,000 school staff across 127 schools. These are parents who had signed up to manage the DMA functions in their child’s personal learning device at home; and school staff who use the DMA to manage students’ personal learning devices in schools.
MOE sent an email to all of them on the evening of 19 April. In the email, we explained to them what the leaked information could be used for so that they can be more prepared if they encounter phishing or scam attempts. We also lodged a police report on this incident.
MOE takes a serious view of this incident. Our IT service providers are contractually obligated to take reasonable measures to protect personal data against loss and unauthorised access. MOE has registered our deep dissatisfaction with MG over this incident. We have asked MG to appoint a forensic investigator to evaluate its systems and processes and provide recommendations to prevent a recurrence. Investigations are ongoing. Appropriate actions will be taken should there be breaches of contractual obligations.
To safeguard our IT systems, MOE conducts independent audits and regular cybersecurity testing. We will continue to place emphasis on user education and ongoing vigilance to ensure that our IT systems remain secure.
Ministry of Education
7 May 2024
https://sprs.parl.gov.sg/search/#/sprs3topic?reportid=written-answer-na-16478
Office of the Leader of the Opposition 