Mr Dennis Tan Lip Fong asked the Minister for Education (a) on what date did the Ministry first become aware of security vulnerabilities in the Mobile Guardian system; (b) what immediate steps were taken within the first 24 hours upon discovery; and (c) whether the vulnerability was immediately verified and patched, bearing in mind its critical nature and ease of exploitation and, if not, why not.
Mr Gerald Giam Yean Song asked the Minister for Education (a) whether there is an update to the number of students in Singapore who had their devices wiped remotely as a result of the Mobile Guardian cybersecurity breach in August 2024 and, if so, how many; (b) how many students were unable to recover their data; (c) what impact did this incident have on these students’ preparation for weighted assessments and examinations; (d) whether the Ministry has any backups of students’ data; and (e) if not, why not.
Ms He Ting Ru asked the Minister for Education (a) how are schools managing the devices of students after the Mobile Guardian Device Management Application was removed from their devices following the security breach in August 2024; (b) whether the Ministry has plans to involve parents more in the management of their children’s devices; and (c) what specific steps will the Ministry take to empower parents with the knowledge and tools to effectively manage their children’s devices.
Mr Chan Chun Sing: Mr Speaker, Sir, my response will cover the Oral PQs raised by Dr Tan Wu Meng, Mr Patrick Tay, Mr Darryl David, Dr Lim Wee Kiak, Mr Christopher de Souza, Mr Sharael Taha, Mr Dennis Tan, Mr Gerald Giam, Ms He Ting Ru and Ms Hazel Poa.
In addition, I will also address two Written PQs by Ms Joan Pereira and Mr Gerald Giam, and I invite Members to seek clarifications, as needed.
Mr Speaker, Sir, Members have asked for the reasons behind the continued use of Mobile Guardians’ Device Management Application, or DMA, after the data breach incident in April this year; details of the technical issue in July; the cybersecurity incident in August; and the support provided to affected students and our approach to using technology for teaching and learning following this episode.
Sir, let me, first, recap the purpose of the DMA.
The DMA supports students, as they learn, to use their personal learning devices (PLDs) safely and responsibly. For example, DMA blocks students’ access to undesirable Internet content, such as gambling or pornography, and sets screen time limits. I will now share what happened in April and the actions taken by the Ministry of Education (MOE).
The incident in April was due to poor password management practice within Mobile Guardian, allowing the attacker to gain unauthorised access to Mobile Guardians’ Management Portal, which led to the data breach. To ensure continued safe use, Mobile Guardian immediately locked down its admin accounts and mandated all account holders to change their passwords. As I had told this House in May, Mobile Guardians’ Management Portal is used for administrative purposes and does not have the ability to change any configuration on students’ PLDs. The Mobile Guardian app was, thus, not affected during the April incident.
MOE immediately registered strong dissatisfaction to Mobile Guardian over the incident and asked that an independent forensic investigator be appointed to evaluate Mobile Guardian systems and processes, and make recommendations to prevent a recurrence. Subsequent findings from the forensic investigator pointed to poor password management practices and Mobile Guardian responded by implementing additional security measures, such as strengthening authentication controls and fixing vulnerabilities.
These enhancements were deployed on 31 May. On the night of 30 May, a member of the public reported a potential vulnerability in the Mobile Guardian app to MOE. Our information technology (IT) security team immediately investigated the report in the morning of 31 May. However, as explained earlier, because Mobile Guardian had rolled out a patch just before, attempts to replicate the vulnerability disclosed by the member of public was not successful.
An independent certified penetration tester engaged by Mobile Guardian to conduct additional penetration tests in June further confirmed that this vulnerability reported by the member of the public, had been closed. The independent test uncovered new vulnerabilities, which Mobile Guardian had committed to fix. However, before it could complete the work, some schools started reporting, on 30 July, that some PLDs had lost the ability to connect to the Internet and, in some cases, total loss of usage.
We quickly established then that this glitch was not related to the April data breach incident, neither was it a cyberattack. Instead, it was due to a human error by a Mobile Guardian engineer, who configured a wrong expiry date, causing the app to stop working. To rectify the misconfiguration, an online update to the Mobile Guardian application was immediately deployed to all iPad users.
Five days later, on 4 August, Mobile Guardian suffered a cyberattack, which remotely wiped out the iPads of some of their global customers, including 13,000 PLDs in our schools or approximately 8% of devices used by our secondary school population. To contain the breach, Mobile Guardian immediately shut down their servers.
As a precautionary measure, MOE embarked on the systematic removal of the Mobile Guardian app from all iPad and Chromebook PLDs the next day. Our priority was to help affected students, particularly those sitting for national examinations, so that learning and revision could continue. We deployed over 300 additional IT engineers and staff to schools to help students restore their devices as well as provided instruction sheets to those students who wanted to troubleshoot their own devices.
All devices have since been restored for use last month. About one in six of the 13,000 affected PLDs lost some degree of data and less than 5% were unable to recover all their data, as their devices had previously not been backed up. During this period, schools made available hard copy learning resources while supporting students who were emotionally affected. Deadlines for assignments were extended and weighted assessments postponed, where needed.
Students can continue to access learning resources on the Singapore Student Learning Space, or SLS. Through this episode, it was most heartening to see many of our students step forward and proactively share their personal notes with classmates and organise study sessions to do revision for their tests and examinations together.
We thank the vigilant members of the public who had flagged the potential vulnerability, our colleagues in the Government Technology Agency (GovTech) and the Cybersecurity Agency (CSA), and also the media community, who rallied around MOE to give the much-needed support, which helped our students learn the positives during this incident.
MOE requires our IT service providers to keep our systems and data safe. Our forensic investigations with GovTech and CSA into the 4 August incident, found a new vulnerability in the Mobile Guardian system that could allow an individual to carry out the attack. This is a timely reminder that cyber threats can evolve quickly. While no security test can be entirely exhaustive, MOE expects its contractors to regularly assess and strengthen their system’s security posture.
Due to this incident, MOE has decided to cease the use of Mobile Guardian in all PLDs. MOE has also taken legal actions against the relevant contractors. MOE is currently studying options for an alternative DMA solution for iPad and Chromebook PLDs. We will work towards rolling out the new DMA solution by the new school year in January 2025.
Until the new DMA solution is in place, schools have instituted additional processes to ensure that the PLDs are used safely and responsibly during school hours. MOE has activated web filtering through the Google Admin Console or Chromebook PLDs and through Parents Gateway, shared instructions on how to activate Apple’s built-in parental controls on iPads. This way, parents can set boundaries, like screen time, routines and restrict access to unsavoury sites.
While the recent spate of incidents was highly unfortunate, this must not deter us from delivering education through technology as they enrich our students’ learning experiences. We must learn to embrace educational technology in our teaching and learning so that our students grow up to be digitally savvy, able to navigate digital environments and take on the opportunities and challenges of the future.
All of us can learn from this incident. It is an important reminder for all of us to practise good digital hygiene, including the regular backing up of information.
Mr Speaker: Mr Gerald Giam.
Mr Gerald Giam Yean Song (Aljunied): Sir, our students take examinations very seriously and an erasure of years of study notes on the eve of an examination date must have been horrifying for so many of them. Because the Mobile Guardian has full control over the devices, including to remote wipe the device, it is more akin to a corporate managed device which should be regularly backed up by MOE in case of a malicious data attack. Did MOE take back-ups of the data on student devices during the time that Mobile Guardian was installed?
Secondly, the Minister mentioned that there was a Vulnerability Assessment and Penetration Test (VAPT) conducted on 30 June, after the vulnerabilities were reported by the member of the public. Was this a full VAPT and were all the vulnerabilities discovered patched before the August cyber attack?
And was there a VAPT conducted on Mobile Guardian before it was first rolled out?
Mr Chan Chun Sing: Mr Speaker, Sir, let me answer the three supplementary questions in reverse order.
For any software as a system, before we acquire the system — and by the way, I think nowadays, all of us use software as a service, SAAS. Today, in all our mobile devices or otherwise, we have such things there.
Before we acquire a service, we do various tests and we make sure that the various systems are also up to the international standards. That is what we do, before we subscribe to any service. Similar to Mobile Guardian, similar to other services, we look at the price quality matrices to see which service meets our needs and is at a price that is reasonable for our needs.
The second one is that in any penetration test, be it the one in June or subsequent to it, whenever there is a penetration test and the results are found, then there will be a series of patches that will be implemented progressively to fix the issues. What we can say is that the issues that were found in June, July onwards, were progressively being fixed. Did any of this contribute directly or indirectly to the subsequent cyber attack? I will not be able to comment on this at this point in time, until the full forensic is out.
On his first supplementary question, I think it is an important lesson that in an era where we are all dependent on technology, to regularly back up our own systems. I would say that even before technology comes about, even once upon a time when we take notes with pen and paper, I think we also did the necessary back-up because it is just a good habit for us to do so.
Having said that, we also know just as how we manage our own personal devices and Government devices, there are two levels of back-up. Every one of us have to do our own individual back-up on certain parts of the notes that we want and there are also system level back-ups on the system level issues. But it will not be possible for the system to back up the individual one, all the time, because the individual, you need to decide what you want to back up. You will need to decide.
Take our smartphone as an example. I am quite sure all of us will store some things in our smartphones. We will back up what we want in a smartphone, be it photos or notes, but it would not be that Apple will back up everything for us, unless you do an auto setting for everything to be backed up onto the cloud storage.
This is the reason why most of our students, the vast majority of our students have been able to back up their notes and information on the cloud, and most of them were able to recover most of the information. There is only a very small percentage of students who were unable to recover data because they did not back up individually and those parts of the data were not backed up. The numbers, I have stated in my answer.
Mr Speaker: Last supplementary question. Mr Dennis Tan.
Mr Dennis Tan Lip Fong (Hougang): Thank you, Speaker. May I ask the Minister whether there was any vulnerability assessment and penetration testing carried out on the app prior to the deployment of the app, whether such testing was carried out regularly before the April incident? And moving forward, will MOE ensure that such testing should be carried out on a regular basis for such apps?
Mr Chan Chun Sing: Mr Speaker, Sir, the answer is yes. I have said in my answer that depending on the security level of the different systems, we have different tiers of vulnerability testing regularly.
Ministry of Education
10 September 2024
https://sprs.parl.gov.sg/search/#/sprs3topic?reportid=oral-answer-3647
Office of the Leader of the Opposition 