SINGAPORE: IT vendor Learnaholic has been fined S$60,000 after the personal data of more than 47,000 students, parents and staff of various schools were hacked.
The organisation provided services including attendance-taking and e-learning systems to schools in Singapore under a contract with the Ministry of Education.
However, lapses in its security arrangements led to the exposure of the personal data of about 47,802 students, students' parents and staff members of various schools, according to a decision published by the Personal Data Protection Commission (PDPC) on Thursday (Dec 5).
Because of these lapses, a hacker was able to steal the personal data of these individuals, including their names, NRIC numbers, contact numbers, e-mail and addresses.
The medical information of about 372 students was also stolen.
On Friday, CNA had asked for the Education Ministry's (MOE) for its comments on PDPC's decision and subsequent actions that it had taken.
In its response on Sunday, MOE said it had worked with the affected schools to enhance their systems' security measures. The ministry added that that it had also worked with Learnaholic to ensure that all systems supplied to schools complied with IT security specifications.
The offence involved a Singaporean hacker who gained unauthorised access to the Learnaholic system and obtained personal data, the ministry said.
Police confirmed that the data had not been distributed or disclosed to others.
The hacker's device containing the data was also confiscated and the data obtained deleted, the ministry said, adding that the hacker was charged in December 2017.
In March 2016, Learnaholic was tasked with troubleshooting and fixing a problem with the attendance-taking system of a school, which was not named by the commission.
During this process, it took steps including modifying the school's Intranet firewall and disabling the password for software installed at one of the attendance-taking sites - actions which would "come to have significant consequences", said the PDPC deputy commissioner Yeong Zee Kin.
Learnaholic had taken those steps so it could conduct remote troubleshooting to the school's system, but it "forgot" to close the port and restore the school's original firewall configuration after the troubleshooting was completed.
The vulnerability was later exploited by the hacker, who ultimately gained access to a Learnaholic worker's e-mail account, which had the unencrypted personal data that the hacker stole.
The Learnaholic member of staff was assisting schools to upload the personal data onto the respective schools' attendance taking and/or e-learning systems.
Emails containing the sensitive data were not deleted after performing the upload, the commissioner said in his decision. The member of staff had thought it "might be useful" to retain the data for "future reference".
This vulnerability was left exposed for more than a month from March 2016 to the end of April that year, when Learnaholic was called in to troubleshoot again.
The data breach and hack were only discovered in February 2017 by the Singapore Police Force while they were investigating a separate hacking incident.
NO EVIDENCE OF FURTHER EXPLOITATION
"Any of the individual lapses on their own would have been a cause for concern; combined together, the lapses created the perfect opportunity for any opportunistic hacker armed with basic hacking tools to strike," said the deputy commissioner.
In deciding the fine, the PDPC said Learnaholic was handling "large volumes of personal data relating to minors", including sensitive data such as medical information.
"The unauthorised disclosure of such data could potentially have caused significant harm," Mr Yeong wrote.
Other hackers could have "easily obtained access" to the personal data, as the vulnerability was left unattended for more than a month.
Upon learning of the breach, Learnaholic changed the passwords for all its work email accounts and activated two-factor authentication. It also deleted the emails with the personal data, among other measures.
It said that based on police's investigations, there was "no evidence of further exploitation, use or disclosure" of the personal data by the hacker.