Ensuring Data Security Following Data Breach of Mobile Guardian’s User Management Portal

28 Mr Don Wee asked the Minister for Education (a) how does the Ministry ensure that the personal learning devices that it issues are equipped with the latest security software and are regularly updated to filter out harmful internet content; and (b) how does the Ministry ensure that its IT vendors are adequately certified and trained to conduct the appropriate support and checks.

29 Ms Joan Pereira asked the Minister for Education (a) what measures will the Ministry implement to protect the students, parents and teachers in Singapore who are affected by the breach at the Mobile Guardian overseas headquarters from online harm and scams; and (b) how will the Ministry review and strengthen its online systems to reduce the risk of hacking.

30 Dr Wan Rizal asked the Minister for Education in response to the data breach of Mobile Guardian’s user management portal (a) what policy changes are being considered for the governance of third-party service providers handling sensitive personal data; and (b) whether he can outline improvements in incident management and response strategies for such future incidents.

31 Dr Wan Rizal asked the Minister for Education how does the Ministry plan to enhance transparency and communication with parents and the public regarding data security measures and handling of data breach incidents for technologies deployed on educational platforms.

Mr Chan Chun Sing: This response addresses Parliamentary Questions for Oral Answer Nos 25 to 27 and Questions for Written Answer Nos 28 to 31, filed for 7 May 2024 Parliament Sitting.

Members have asked the Ministry of Education (MOE) about the data breach incident caused by unauthorised access to Mobile Guardian's management portal, how MOE has supported affected parties and the steps MOE has taken since the incident.

Let me first provide some information on Mobile Guardian. Mobile Guardian (MG), is one of two companies engaged by MOE to provide Device Management Application (DMA) solutions on Personal Learning Devices used by students. The DMA helps schools and parents manage students' device use. For example, parents can use the DMA to set screen time limits on their child's personal learning device.

The use of MG's DMA for Chromebooks and iPads was decided through an open tender in 2020. The company holds the ISO27001 certification, an internationally recognised standard for information security management systems and is engaged by over 2,500 schools in over 50 countries worldwide.

Let me now talk about MG's management portal, which experienced an incident of unauthorised access. The management portal is used for administrative purposes, such as account licensing and providing technical support. The management portal has access to the following information: name of user; email address; time zone; school name; and the user role – that is, whether the user is a parent or school staff.

MG's management portal does not have the ability to change any configuration on students' personal learning devices. It is also not connected to any MOE or Government IT systems. Hence, MOE and Government IT systems have not been compromised.

On 12 April, MG received an email that an unauthorised individual had gained access to MG's management portal. This email was considered a phishing email, until MG received a subsequent email on 16 April. In the second email, the individual showed evidence of access to MG's management portal and attempted to solicit money in exchange for keeping silent that the individual had been able to access MG's management portal. MG acted on this second alert and worked to establish the extent of access and customers affected. This included suspending all administrative accounts that could be used to access MG's management portal.

MOE was notified by MG on 17 April late night of this incident, as well as the enhanced security measures implemented by MG on its management portal. MOE learned from MG's preliminary investigations that an unauthorised individual had gained access to a support account on MG's management portal. MG's assessment was that the unauthorised individual could have used the compromised account to view the information of customers based in the United States and the Asia Pacific region, including Singapore.

The Cyber Security Agency and GovTech supported MOE in the investigation of the incident.

MG had assessed that the compromised support account was primarily attributed to poor password management practice and not the result of the unauthorised individual exploiting vulnerabilities in MG's systems. Nevertheless, MOE conducted security checks and found no suspicious activity on MOE's DMA portal nor any indications that MOE's DMA had been compromised.

As a proactive measure, MOE decided to communicate with all users whose names and email addresses can be accessed by the MG management portal. These comprised about 67,000 parents and 22,000 school staff across 127 schools. These are parents who had signed up to manage the DMA functions in their child's personal learning device at home; and school staff who use the DMA to manage students' personal learning devices in schools.

MOE sent an email to all of them on the evening of 19 April. In the email, we explained to them what the leaked information could be used for so that they can be more prepared if they encounter phishing or scam attempts. We also lodged a police report on this incident.

MOE takes a serious view of this incident. Our IT service providers are contractually obligated to take reasonable measures to protect personal data against loss and unauthorised access. MOE has registered our deep dissatisfaction with MG over this incident. We have asked MG to appoint a forensic investigator to evaluate its systems and processes and provide recommendations to prevent a recurrence. Investigations are ongoing. Appropriate actions will be taken should there be breaches of contractual obligations.

To safeguard our IT systems, MOE conducts independent audits and regular cybersecurity testing. We will continue to place emphasis on user education and ongoing vigilance to ensure that our IT systems remain secure.