Data of 30,000 who used NTUC's e2i services feared breached
The affected mailbox contained the personal data of about 30,000 people who had used e2i's services.
The personal data of about 30,000 people who have used the services of the National Trades Union Congress' (NTUC) Employment and Employability Institute (e2i) may have been accessed by cyber criminals.
The crooks may have had unauthorised access to people's names, educational qualifications, NRIC numbers and contact and employment details, according to a statement by e2i yesterday.
The institute provides skills training and job matching services.
It said it was alerted to an incident on March 12 in which malware - often distributed via spam e-mail - had infected the mailbox of an employee of an e2i-appointed third-party vendor, contact centre services company i-vic International.
The affected mailbox had the personal data of about 30,000 people who had participated in e2i events, used the institute's services, or both, from November 2018 to March 12 this year. They included people who had attended a job fair or employability workshop, or who had gone for career coaching.
For now, there is no evidence that the data has been misused or leaked, said e2i.
The institute has reported the breach to the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore's Singapore Computer Emergency Response Team (SingCert), while i-vic International made a police report on March 22.
The PDPC is investigating, while the police are looking into the matter.
On why the incident was not made known earlier, e2i said that "given the complexity of the investigations, it has taken time to make an impact assessment".
The breach comes after recent attacks affecting third-party vendors, such as reports last December that information technology management software provider SolarWinds was targeted by hackers, with about 18,000 customers hit globally.
The Government announced last month that organisations running Singapore's critical information infrastructure, such as telecommunications networks and public transport systems, will be asked to better manage their vendors' cyber-security risks.
In response to the data breach, e2i and i-vic International have taken measures to tighten the security of their e-mail and network systems, and are doing checks to monitor any potential vulnerabilities.
They are contacting potentially affected people through e-mail, SMS and calls to alert them to the incident and provide support.
Those affected should be vigilant against suspicious activities or requests, as well as phishing attempts by cyber criminals to steal sensitive information by impersonating a legitimate organisation, said e2i.
Those who receive a suspicious e-mail, or suspect they have been targeted by a scam, can ring e2i on 6713-5779. They can also file an online report with SingCert.
Mr Gilbert Tan, e2i's chief executive, said the malware did not target e2i directly, but it is checking its IT systems and those of its vendor. He assured the public "that e2i's operations, services and systems remain unaffected, and job seekers can continue to seek employment and employability assistance with e2i".
Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.