Investigation and Security Measures following Mobile Guardian App Breach

9 Mr Patrick Tay Teck Guan asked the Minister for Education in respect of the recent cybersecurity incident involving the Mobile Guardian Device Management Application which has affected students in Singapore (a) what is the Ministry doing to help students who have had their study notes wiped out; (b) whether the Ministry has reviewed such software installed in tablets used by students to ensure that similar incidents do not recur; and (c) what necessary action will the Ministry take against the supplier of the software.

10 Dr Tan Wu Meng asked the Minister for Education (a) why was Mobile Guardian's device management app continued to be used after its data security breach in April 2024 which caused the exfiltration of personal data of parents and staff from 127 schools; (b) whether contingency plans were instituted prior to the loss of Internet access and classroom materials from students’ personal learning devices in July 2024 and the cybersecurity incident causing students’ devices to be remotely wiped in August 2024; and (c) whether affected students are adequately supported.

11 Mr Darryl David asked the Minister for Education with regard to the recent cybersecurity incident involving the Mobile Guardian Device Management Application that has affected students in Singapore (a) whether an update can be provided on how the Ministry is helping students who have been affected; and (b) what steps are being taken to ensure that similar incidents do not occur again in the future.

12 Dr Lim Wee Kiak asked the Minister for Education following the cybersecurity incident involving the Mobile Guardian application (a) what targeted support is being offered to affected students experiencing distress, particularly those with existing mental health conditions; (b) for students whose data is unrecoverable, how is the Ministry assisting them to prepare for their upcoming examinations and ensuring their access to adequate learning materials; and (c) whether examination grades for the affected students will be moderated this year.

13 Mr Christopher de Souza asked the Minister for Education whether there will be a review of the usage of technology by our students after the global cyber-security breach of the Mobile Guardian Device Management Application that affected our secondary students.

14 Mr Christopher de Souza asked the Minister for Education whether there will be a review done of our students' usage of technology for learning to assess if there has been an over-reliance on technology to the detriment of our students, including losing learning notes that the students have recorded and kept on their school-issued devices.

15 Mr Dennis Tan Lip Fong asked the Minister for Education (a) on what date did the Ministry first become aware of security vulnerabilities in the Mobile Guardian system; (b) what immediate steps were taken within the first 24 hours upon discovery; and (c) whether the vulnerability was immediately verified and patched, bearing in mind its critical nature and ease of exploitation and, if not, why not.

16 Mr Gerald Giam Yean Song asked the Minister for Education (a) whether there is an update to the number of students in Singapore who had their devices wiped remotely as a result of the Mobile Guardian cybersecurity breach in August 2024 and, if so, how many; (b) how many students were unable to recover their data; (c) what impact did this incident have on these students’ preparation for weighted assessments and examinations; (d) whether the Ministry has any backups of students’ data; and (e) if not, why not.

17 Ms He Ting Ru asked the Minister for Education (a) how are schools managing the devices of students after the Mobile Guardian Device Management Application was removed from their devices following the security breach in August 2024; (b) whether the Ministry has plans to involve parents more in the management of their children's devices; and (c) what specific steps will the Ministry take to empower parents with the knowledge and tools to effectively manage their children's devices.

18 Ms Hazel Poa asked the Minister for Education (a) whether there is an update on the efforts to restore devices that are affected by the Mobile Guardian system glitch and cybersecurity breach; and (b) in particular, whether students taking their national examinations have all been able to restore their devices.

19 Mr Sharael Taha asked the Minister for Education (a) how many students are unable to recover data from their devices following the Mobile Guardian cybersecurity incident in August 2024; (b) how will the Ministry assist these students; and (c) how will the Ministry manage mobile device security to prevent future incidents.

The Minister for Education (Mr Chan Chun Sing): Mr Speaker, Sir, may I have your permission to take the next 11 Parliamentary Questions (PQs) together?

Mr Speaker: Yes, go ahead.

Mr Chan Chun Sing: Mr Speaker, Sir, my response will cover the Oral PQs raised by Dr Tan Wu Meng, Mr Patrick Tay, Mr Darryl David, Dr Lim Wee Kiak, Mr Christopher de Souza, Mr Sharael Taha, Mr Dennis Tan, Mr Gerald Giam, Ms He Ting Ru and Ms Hazel Poa.

In addition, I will also address two Written PQs by Ms Joan Pereira and Mr Gerald Giam, and I invite Members to seek clarifications, as needed.

Mr Speaker, Sir, Members have asked for the reasons behind the continued use of Mobile Guardians' Device Management Application, or DMA, after the data breach incident in April this year; details of the technical issue in July; the cybersecurity incident in August; and the support provided to affected students and our approach to using technology for teaching and learning following this episode.

Sir, let me, first, recap the purpose of the DMA.

The DMA supports students, as they learn, to use their personal learning devices (PLDs) safely and responsibly. For example, DMA blocks students' access to undesirable Internet content, such as gambling or pornography, and sets screen time limits. I will now share what happened in April and the actions taken by the Ministry of Education (MOE).

The incident in April was due to poor password management practice within Mobile Guardian, allowing the attacker to gain unauthorised access to Mobile Guardians' Management Portal, which led to the data breach. To ensure continued safe use, Mobile Guardian immediately locked down its admin accounts and mandated all account holders to change their passwords. As I had told this House in May, Mobile Guardians' Management Portal is used for administrative purposes and does not have the ability to change any configuration on students' PLDs. The Mobile Guardian app was, thus, not affected during the April incident.

MOE immediately registered strong dissatisfaction to Mobile Guardian over the incident and asked that an independent forensic investigator be appointed to evaluate Mobile Guardian systems and processes, and make recommendations to prevent a recurrence. Subsequent findings from the forensic investigator pointed to poor password management practices and Mobile Guardian responded by implementing additional security measures, such as strengthening authentication controls and fixing vulnerabilities.

These enhancements were deployed on 31 May. On the night of 30 May, a member of the public reported a potential vulnerability in the Mobile Guardian app to MOE. Our information technology (IT) security team immediately investigated the report in the morning of 31 May. However, as explained earlier, because Mobile Guardian had rolled out a patch just before, attempts to replicate the vulnerability disclosed by the member of public was not successful.

An independent certified penetration tester engaged by Mobile Guardian to conduct additional penetration tests in June further confirmed that this vulnerability reported by the member of the public, had been closed. The independent test uncovered new vulnerabilities, which Mobile Guardian had committed to fix. However, before it could complete the work, some schools started reporting, on 30 July, that some PLDs had lost the ability to connect to the Internet and, in some cases, total loss of usage.

We quickly established then that this glitch was not related to the April data breach incident, neither was it a cyberattack. Instead, it was due to a human error by a Mobile Guardian engineer, who configured a wrong expiry date, causing the app to stop working. To rectify the misconfiguration, an online update to the Mobile Guardian application was immediately deployed to all iPad users.

Five days later, on 4 August, Mobile Guardian suffered a cyberattack, which remotely wiped out the iPads of some of their global customers, including 13,000 PLDs in our schools or approximately 8% of devices used by our secondary school population. To contain the breach, Mobile Guardian immediately shut down their servers.

As a precautionary measure, MOE embarked on the systematic removal of the Mobile Guardian app from all iPad and Chromebook PLDs the next day. Our priority was to help affected students, particularly those sitting for national examinations, so that learning and revision could continue. We deployed over 300 additional IT engineers and staff to schools to help students restore their devices as well as provided instruction sheets to those students who wanted to troubleshoot their own devices.

All devices have since been restored for use last month. About one in six of the 13,000 affected PLDs lost some degree of data and less than 5% were unable to recover all their data, as their devices had previously not been backed up. During this period, schools made available hard copy learning resources while supporting students who were emotionally affected. Deadlines for assignments were extended and weighted assessments postponed, where needed.

Students can continue to access learning resources on the Singapore Student Learning Space, or SLS. Through this episode, it was most heartening to see many of our students step forward and proactively share their personal notes with classmates and organise study sessions to do revision for their tests and examinations together.

We thank the vigilant members of the public who had flagged the potential vulnerability, our colleagues in the Government Technology Agency (GovTech) and the Cybersecurity Agency (CSA), and also the media community, who rallied around MOE to give the much-needed support, which helped our students learn the positives during this incident.

MOE requires our IT service providers to keep our systems and data safe. Our forensic investigations with GovTech and CSA into the 4 August incident, found a new vulnerability in the Mobile Guardian system that could allow an individual to carry out the attack. This is a timely reminder that cyber threats can evolve quickly. While no security test can be entirely exhaustive, MOE expects its contractors to regularly assess and strengthen their system's security posture.

Due to this incident, MOE has decided to cease the use of Mobile Guardian in all PLDs. MOE has also taken legal actions against the relevant contractors. MOE is currently studying options for an alternative DMA solution for iPad and Chromebook PLDs. We will work towards rolling out the new DMA solution by the new school year in January 2025.

Until the new DMA solution is in place, schools have instituted additional processes to ensure that the PLDs are used safely and responsibly during school hours. MOE has activated web filtering through the Google Admin Console or Chromebook PLDs and through Parents Gateway, shared instructions on how to activate Apple's built-in parental controls on iPads. This way, parents can set boundaries, like screen time, routines and restrict access to unsavoury sites.

While the recent spate of incidents was highly unfortunate, this must not deter us from delivering education through technology as they enrich our students' learning experiences. We must learn to embrace educational technology in our teaching and learning so that our students grow up to be digitally savvy, able to navigate digital environments and take on the opportunities and challenges of the future.

All of us can learn from this incident. It is an important reminder for all of us to practise good digital hygiene, including the regular backing up of information.

Mr Speaker: Mr Patrick Tay.

Mr Patrick Tay Teck Guan (Pioneer): Thank you to the Minister for the sharing. In light of the Mobile Guardian incident, what is MOE's plan moving forward, particularly, whether the Ministry is going to require or mandate students to re-install a DMA moving forward?

Mr Chan Chun Sing: Mr Speaker, Sir, the answer is yes. We would like to re-install a DMA for all devices and the reason is very simple. With the experience that we have gained, a DMA has been very helpful in helping us to deter people from entering unsavoury sites, maybe intentionally or unintentionally.

Every year, every month, not an insignificant amount of sites or attempts at entry to such sites were blocked. So, there is a need for the cybersecurity, the cyber hygiene and the cyber wellness of our students that they have such a DMA. Having said that, I would also want to say that a DMA also provides a range of options that MOE can work with parents on their desired and appropriate level of controls.

By and large, about three quarters of all parents will adopt the baseline default settings of a DMA for the devices. The other 25%, or one quarter of them, are split between some who wanted stricter controls; and some who want less strict controls. We are able to cater to the different needs of the parents.

Mr Speaker: Dr Tan Wu Meng.

Dr Tan Wu Meng (Jurong): I thank the Minister for his detailed answer. I can declare that there are Clementi students who are affected by this and a number could not recover some of their lost data. Can I ask the Minister two supplementary questions on behalf of these Clementi students and their parents?

Firstly, following the data breach in May 2024, the Minister in his answer mentioned that MOE required Mobile Guardian to have an independent forensic investigation. Can I ask if the forensic investigation contractor was nominated by Mobile Guardian or nominated by MOE? Did MOE have any say in the choice of the contractor to do the audit for the May 2024 data breach incident?

Secondly, Mr Speaker, in an era of outsourcing to vendors, we of course must be mindful that the cyber threat surface is no longer within just the Government domain, but also the sub-contractor domain. Can I ask the Minister if MOE is working with CSA and the Ministry of Digital Development and Information (MDDI) to ensure that the same standards of cybersecurity for Government networks that face the public, these same standards are also being applied to contractors such as Mobile Guardian or whatever replaces it in the future, so that the attack surface for cyber threats is contained and has the same level of safety, regardless of whether it is a contractor or whether it is Government's own device management technology?

Mr Chan Chun Sing: Mr Speaker, Sir, one short answer to the first supplementary question and a slightly longer elaboration to the second.

First, we asked Mobile Guardian to do the independent forensic investigation and we also did our own. That is the short answer. So that we can see the results of both and that is why I have explained in my answer that we have found new vulnerabilities. I want to explain that every time we do regular penetration tests, we will have to regularly update the app. It is not possible to say you do a test one time and you will be safe forever. That is not the concept in cybersecurity. Threats are emerging every day, every other moment and we have to just make sure we regularly do our checks to make sure that things are okay.

On the second question, I would rephrase what Dr Tan had said slightly differently. When you say same level of safety and security for all systems, I think that is not the right basis for us to work on. Let me explain.

The attack surface is wide in the cyber security domain. It is not possible for us to defend everywhere with the same resources, with the same level of focus. In the military, there is a saying that if you defend everywhere, you defend nowhere. In any system, whether big or small, personal or national, government or non-government, we will have to prioritise our resources to see where are the most critical areas that we need to defend against and invest more resources in.

For example, in our national framework – in a separate PQ answer, I think MDDI will share this – is that at the highest level, we have what we call the Critical Information Infrastructure, the CII. This is the type of systems we will devote the most resources to, to make sure that they are the most robust. Then, there are cascading, different levels of security required. It is a risk-based approach that we adopt. In managing our cybersecurity, from the highest CII level to the other levels, there will be different resources required, there will be different areas of focus required. We cannot be adopting the same defence posture for all the different systems. I just hope that we have a shared understanding in this House on this.

Having said that, while there might be differing levels of security and resources devoted to different systems, whenever there is an incident, it is in the collective interest of all of us to learn from it to see how the system might have been compromised or penetrated. This is why when something like that happens, we require any contractor to do their own independent forensic investigation, let us know the results. We will also do our own independent forensic to see whether the results match or whether there are blind spots that each of us may not have been able to detect prior to that.

It is a tiered and risk-based approach. I would not use the phrase that we have the same level of security and safety for all systems because I do not think that will be practical and I do not think that is the end goal of what we are trying to achieve.

Mr Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song (Aljunied): Sir, our students take examinations very seriously and an erasure of years of study notes on the eve of an examination date must have been horrifying for so many of them. Because the Mobile Guardian has full control over the devices, including to remote wipe the device, it is more akin to a corporate managed device which should be regularly backed up by MOE in case of a malicious data attack. Did MOE take back-ups of the data on student devices during the time that Mobile Guardian was installed?

Secondly, the Minister mentioned that there was a Vulnerability Assessment and Penetration Test (VAPT) conducted on 30 June, after the vulnerabilities were reported by the member of the public. Was this a full VAPT and were all the vulnerabilities discovered patched before the August cyber attack?

And was there a VAPT conducted on Mobile Guardian before it was first rolled out?

Mr Chan Chun Sing: Mr Speaker, Sir, let me answer the three supplementary questions in reverse order.

For any software as a system, before we acquire the system — and by the way, I think nowadays, all of us use software as a service, SAAS. Today, in all our mobile devices or otherwise, we have such things there.

Before we acquire a service, we do various tests and we make sure that the various systems are also up to the international standards. That is what we do, before we subscribe to any service. Similar to Mobile Guardian, similar to other services, we look at the price quality matrices to see which service meets our needs and is at a price that is reasonable for our needs.

The second one is that in any penetration test, be it the one in June or subsequent to it, whenever there is a penetration test and the results are found, then there will be a series of patches that will be implemented progressively to fix the issues. What we can say is that the issues that were found in June, July onwards, were progressively being fixed. Did any of this contribute directly or indirectly to the subsequent cyber attack? I will not be able to comment on this at this point in time, until the full forensic is out.

On his first supplementary question, I think it is an important lesson that in an era where we are all dependent on technology, to regularly back up our own systems. I would say that even before technology comes about, even once upon a time when we take notes with pen and paper, I think we also did the necessary back-up because it is just a good habit for us to do so.

Having said that, we also know just as how we manage our own personal devices and Government devices, there are two levels of back-up. Every one of us have to do our own individual back-up on certain parts of the notes that we want and there are also system level back-ups on the system level issues. But it will not be possible for the system to back up the individual one, all the time, because the individual, you need to decide what you want to back up. You will need to decide.

Take our smartphone as an example. I am quite sure all of us will store some things in our smartphones. We will back up what we want in a smartphone, be it photos or notes, but it would not be that Apple will back up everything for us, unless you do an auto setting for everything to be backed up onto the cloud storage.

This is the reason why most of our students, the vast majority of our students have been able to back up their notes and information on the cloud, and most of them were able to recover most of the information. There is only a very small percentage of students who were unable to recover data because they did not back up individually and those parts of the data were not backed up. The numbers, I have stated in my answer.

Mr Speaker: Mr Christopher de Souza.

Mr Christopher de Souza (Holland-Bukit Timah): This is a major issue and had major consequences. So, I would like to ask the Minister, are we over reliant on iPads and IT to the prejudice of our students and conventional teaching?

Point number two, so much is now being deflected to screen time for learning.

Point number three, I have been told that even some primary schools issue iPads to Primary 4 students.

Fourth supplementary question, I have studied this – over reliance on screen learning dulls the mind. The abacus or the calculator in the mind becomes slow. Even Minister Chan talks about doing mathematics in Cantonese in his mind.

No amount of parental guidance can stop gaming and possibly even pornography.

So, I wish to put on record these concerns as supplementary questions and before doing so, I declare that I am a parent of four children who are involved in iPad learning. It is my own view that too much learning is done on the screen, but as a matter of being a Member of Parliament, I will also state that the schools in the ward that I am responsible for, were affected by this shutdown and affected quite badly.

Mr Speaker: Minister Chan, if you can keep your answer short because I am trying to squeeze in a few more supplementary questions.

Mr Chan Chun Sing: Okay. Mr Speaker, on the five supplementary questions that were asked, I will reply one at a time.

First, no, I think it is not about whether we are over-reliant or not over-reliant. We will have to learn to use technology, couple that with the best pedagogical practices, and that balance will continue to evolve as our society evolves. So, that is the first point.

Second, yes, we are concerned with screen time but we are also concerned with the type of screen time and the ages at which people are exposed to screen time. I have explained in this House before, that at different ages we are concerned with different types of screen time. For the very, very young, if they are watching a YouTube movie unsupervised, that has probably the greatest damage and is our greatest concern. When they are a bit older, it might be games. And when they are even older, it might be social media. So, it depends on what they use the screen time for. If they use the screen time for educational purposes and are supervised, and have constant interactions with adults, I think the effect is quite different from what we have described just now.

On the use of iPads and devices for primary school education, at this point in time, MOE has not made a decision to issue --- In fact, we have made a decision not to issue personal learning devices to all primary schools.

But having said that, we do allow our primary schools to use electronic devices for education purposes and they share the resources around. So, it is not a personal learning device; it is a group learning device and so forth. We had a few schools that have embarked on a trial to see the more intensive use of learning devices in schools with the supervision of the teachers. We are at the preliminary stage of looking at the experiences of these few schools.

So, that is why, going forward, we will have to see what type of screen time for what purpose, what amount and what age.

Mr Speaker: Dr Lim Wee Kiak. Please just ask your supplementary question.

Dr Lim Wee Kiak (Sembawang): Yes, a quick one. Will MOE take a look at the impact of this episode on students, especially those who had all the data wiped out, and the outcome of their examinations? Will their examination results be moderated according to this incident?

Mr Chan Chun Sing: The answer is yes, but I want to put in context the scale of the issue.

I think I have shared how many students are involved – it is not as if all the students lost everything. The students actually do have access to various resources and so forth. So, at the local school level, where it is not national examinations, we have made the local adjustments according to the school's circumstances and needs. I think my school leaders have done that.

At the national level, for national examinations, the number of students where we need to make special adjustments because some of their work in preparation for the particular subject was done in the iPad, the numbers were less than 60.

Mr Speaker: Ms Hazel Poa.

Ms Hazel Poa (Non-Constituency Member): I would like to ask the Minister whether are there any learning points from this episode with respect to the service provider assessment process?

Mr Chan Chun Sing: Mr Speaker, Sir, yes, there are various learning points. When we contract for software as a service, we all know that there will be certain risks involved when we subscribe to any of these software as a service. So, that is a given.

In the selection process, I think one of the things in any agencies, government or commercial, that we must be conscious of is that we can make a choice between two extremes. One is subscribe to a service that is generally available but not customised. It may not meet your needs but it may be more accessible. The other one is that you can try to make it much more customised according to your needs but you require a unique solution.

Somewhere between these two, you must find that balance because both sides have risks, whether you use a widely accessible software as a service solution, which has its pluses and minuses – you can change and evolve much faster because the subscriber base is much bigger, but you may not have all the services you require. If you go for customised service, you might not have all the services and the updates as quickly as you want because it is much more customised, according to your needs. So, somewhere between these two, we must always find the balance, according to the different risk profiles and the different needs.

Mr Speaker: Last supplementary question. Mr Dennis Tan.

Mr Dennis Tan Lip Fong (Hougang): Thank you, Speaker. May I ask the Minister whether there was any vulnerability assessment and penetration testing carried out on the app prior to the deployment of the app, whether such testing was carried out regularly before the April incident? And moving forward, will MOE ensure that such testing should be carried out on a regular basis for such apps?

Mr Chan Chun Sing: Mr Speaker, Sir, the answer is yes. I have said in my answer that depending on the security level of the different systems, we have different tiers of vulnerability testing regularly.

12.31 pm

Mr Speaker: Order. End of Question Time. The Clerk will now read the Orders of the day.

[Pursuant to Standing Order No 22(3), provided that Members had not asked for questions standing in their names to be postponed to a later Sitting day or withdrawn, written answers to questions not reached by the end of Question Time are reproduced in the Appendix.]