MOE takes legal action against contractors over Mobile Guardian cybersecurity breach
Data from 13,000 personal learning devices was wiped out in August. Less than 5 per cent of users were unable to recover all their data because the devices were not backed up.
Mobile Guardian suffered two major cybersecurity breaches earlier this year.
This audio is generated by an AI tool.
SINGAPORE: The Ministry of Education (MOE) has taken legal action against "relevant contractors" following a Mobile Guardian cyberattack that affected 13,000 users from 26 secondary schools.
About one in six of the affected users lost some data due to the cybersecurity breach suffered by the device management app, Minister for Education Chan Chun Sing said in parliament on Tuesday (Sep 10).
Less than 5 per cent were unable to recover all their data as their devices had not been backed up before the Aug 4 breach, he added.
Mr Chan was responding to questions raised by Members of Parliament (MPs) about what MOE has done to prevent similar incidents from recurring and about the support given to students.
After the August attack, MOE "embarked on the systematic removal" of Mobile Guardian from all iPads and Chromebooks the next day, said the minister.
MOE said it requires its IT service providers to keep its systems and data safe.
The ministry's forensic investigations with GovTech and the Cyber Security Agency of Singapore (CSA) into the incident found that there was a new vulnerability in Mobile Guardian's system that could allow an individual to carry out an attack.
"This is a timely reminder that cyber threats can evolve quickly," he said.
"While no security test can be entirely exhaustive, MOE expects its contractors to regularly assess and strengthen their systems' security posture."
The ministry has decided to stop using Mobile Guardian in all personal learning devices and is currently studying options for an alternative device management app.Â
It said it would work towards rolling out the new app by January next year.
On Monday, CNA reported that MOE had terminated its contract with Mobile Guardian and was considering other options.Â
Prior to the Aug 4 incident, Mobile Guardian suffered a data breach in April due to poor password management practice. A glitch was also reported in July due to human error.
The Ministry of Education (MOE) requires its IT service providers to keep their systems and data safe. Following the recent cybersecurity incident involving Mobile Guardian’s Device Management Application (DMA), MOE has decided to cease its use in all personal learning devices (PLDs). It has also taken legal action against the relevant contractors. MOE is currently studying options for an alternative DMA solution for iPad and Chromebook PLDs and will work towards rolling out the new DMA solution by the new school year in January. Until the new DMA solution is in place, schools have instituted additional processes to ensure PLDs are used safely and responsibly during school hours. Education Minister Chan Chun Sing gave this update in reply to MPs’ questions in Parliament on Tuesday (Sep 10). He said while the recent spate of incidents was highly unfortunate, it must not deter Singapore from delivering education through technology as it enriches students’ learning experiences. “We must learn to embrace EdTech in our teaching and learning so that our students grow up to be digitally savvy, able to navigate digital environments and take on the opportunities and challenges of the future,” he said.
IMPACT ON STUDENTS
The 13,000 personal learning devices that were remotely wiped out represented about 8 per cent of devices used by the secondary school population.
MOE deployed 300 additional IT engineers and staff to help students, and provided instruction sheets to those who wanted to troubleshoot on their own. All devices were restored for use last month.
Schools provided hardcopy resources and supported students who were emotionally affected, said Mr Chan.
Deadlines were extended and weighted assessments were postponed where needed, he added.
At the school level, adjustments have been made according to the school's specific circumstances and needs.
For national exams, special adjustments were made for fewer than 60 students because their preparation for a particular subject was done on their iPads.
"Through this episode, it was most heartening to see many of our students step forward and proactively share their personal notes with classmates and organise study sessions to do revision for their tests and exams together," he said.
Despite the "highly unfortunate" incidents, MOE must embrace technology in teaching and learning so that students will be digitally savvy and able to navigate digital environments.
"All of us can learn from this incident. It is an important reminder for all of us to practice good digital hygiene, including the regular backing up of information," the minister added.
TIERED APPROACH TO CYBERSECURITY
Mr Chan also responded to a question from MP Tan Wu Meng (PAP-Jurong) about whether MOE is working to ensure that contractors are held to the same standards of cybersecurity that government networks are required to meet.
The attack surface is "wide" and it is not possible to "defend everywhere with the same resources, with the same level of focus", he said.
"In the military, there's a saying that if you defend everywhere, you defend nowhere ... We will have to prioritise our resources to see where are the most critical areas that we need to defend and invest more resources on them," he added.
At the national level, critical information infrastructure gets the most resources, and the level of security in other areas would vary depending on the system, said Mr Chan, describing it as a tiered and risk-based approach.
It would not be practical to try to achieve the same level of security for all systems, he said.
