Mobile Guardian breaches: MOE takes legal action against contractors; new app expected by Jan 2025
Source: Straits Times
Article Date: 11 Sep 2024
Author: Gabrielle Chan
13,000 learning devices lost data in August cyber attack; new app expected by Jan 2025.
A new application to manage the use of students’ devices is slated to be rolled out by January 2025, after the Ministry of Education (MOE) stopped using the Mobile Guardian app in all students’ iPads and Chromebooks.
Education Minister Chan Chun Sing told Parliament on Sept 10 that legal action has been taken against contractors involved in various incidents related to Mobile Guardian in 2024.
He said his ministry is studying options for an alternative device management application (DMA), and will work towards rolling it out by the new school year.
Mr Chan said that about one in six of the 13,000 affected devices lost some data owing to a cyber-security breach in August. Of the devices that lost data, less than 5 per cent were unable to recover the lost data as it had not been backed up.
Mr Chan said adjustments were made for fewer than 60 students taking national exams, as some of their preparatory work for a particular subject was done on their iPads.
In response to queries from The Straits Times, the Singapore Examinations and Assessment Board (SEAB) said the Mobile Guardian incident affected the coursework of 52 O-level art students.
“Candidates lost parts of their coursework to varying degrees, mainly because their work that was saved in an application for digital art was not backed up,” SEAB said, adding that students can apply for special consideration through their schools.
For students not taking national exams, adjustments were also made according to their schools’ needs, Mr Chan said, responding to supplementary questions by Dr Lim Wee Kiak (Sembawang GRC) on whether the results of affected students’ exams would be moderated.
In response to queries, MOE said it stopped using Mobile Guardian’s services as of end-August 2024. Mobile Guardian is a DMA that helps parents manage their children’s device use by restricting screen time and access to specific websites and apps.
Mr Chan was responding in Parliament to questions from MPs about the recent cyber-security incidents involving Mobile Guardian, and the Education Ministry’s approach to technology for teaching and learning following these incidents.
While waiting for the replacement application to be rolled out, schools have instituted additional processes to ensure devices are safely and responsibly used during school hours, said Mr Chan.
These include activating web filtering on Chromebooks, and giving instructions on the Parents Gateway app for activating Apple’s parental controls on iPad to set screen-time boundaries and restrict access to certain sites.
The first recent incident involving Mobile Guardian occurred on July 30, when more than 1,000 students from at least five secondary schools were affected by a glitch on the app.
This was due to human error in configuration by Mobile Guardian, said Mr Chan, and was separate from the Aug 4 incident where a global cyber-security breach affected 13,000 students from 26 secondary schools here.
The cyber attack remotely wiped out 13,000 school devices, which amounts to approximately 8 per cent of the devices used by secondary schools, said Mr Chan.
To contain the breach, Mobile Guardian immediately shut down its servers and the app was removed from all school devices here on Aug 5.
More than 300 information technology (IT) engineers and staff were sent to affected schools to help students restore their devices. They also provided instruction sheets to students who wanted to troubleshoot their own devices, said Mr Chan.
“Our priority was to help affected students, particularly those sitting... national examinations so that learning and revision could continue,” he said, adding that all the devices were restored for students’ use in August.
While dealing with the impact of the cyber-security breach, schools used hard copies of learning resources and supported students who were emotionally affected by the incident, said Mr Chan, adding that deadlines for assignments were extended and exams postponed where necessary.
Students could also continue to access learning resources on the Singapore Student Learning Space, an online learning portal with resources for students and teachers.
“Through this episode, it was most heartening to see many students step forward and proactively share their personal notes with classmates, and organise study sessions to do revision for their tests and exams together,” said Mr Chan.
Mr Chan also thanked GovTech, the Cyber Security Agency of Singapore, the media and a member of the public who had flagged a potential vulnerability.
On May 30, a member of the public reported a potential vulnerability in the Mobile Guardian application to MOE, whose IT team immediately investigated it on May 31.
Mr Chan said attempts to replicate the vulnerability were not successful.
This was because additional security measures had been implemented after an incident in April 2024, when Mobile Guardian’s user management portal at its headquarters in Surrey, Britain, was hacked owing to poor password management practices.
This led to a data leak involving the names and e-mail addresses of parents and teachers of five primary schools and 122 secondary schools in Singapore.
MOE had then asked Mobile Guardian to appoint an independent forensic investigator to evaluate its systems and processes. The findings showed poor password practices, said Mr Chan, adding that MOE also conducted its own independent forensic test.
On May 31, Mobile Guardian implemented additional security measures such as strengthening authentication controls and fixing vulnerabilities.
Further tests in June confirmed that the vulnerability reported by the member of the public had been fixed, but they also uncovered new vulnerabilities in the app.
However, before these could be fixed, the incidents in July and August occurred, said Mr Chan.
Forensic investigations by GovTech and the Cyber Security Agency of Singapore into the Aug 4 incident found a new vulnerability in Mobile Guardian’s system which could allow an individual to carry out the attack, said Mr Chan.
“While no security test can be entirely exhaustive, MOE expects its contractors to regularly assess and strengthen their systems’ security posture,” he said, adding that the ministry requires all IT service providers to keep systems and data safe.
“In the domain of cyber security, it is not possible for everything to be defended everywhere with the same resources and the same level of focus,” said Mr Chan in response to Dr Tan Wu Meng (Jurong GRC), who asked in a supplementary question if the same cyber-security standards for government networks apply to contractors.
Different levels of security and resources are devoted to different systems, Mr Chan said, and when incidents occur, investigations by contractors and the MOE help identify blind spots to improve overall security.
Mr Chan said these incidents should not discourage the use of technology in education.
“We must embrace edtech in our teaching and learning so that our students grow up to be digitally savvy, able to navigate digital environments and take on the opportunities and challenges of the future,” he said, adding that regular backing up of information should be practised.
Concerns about device usage
Several MPs raised concerns about the DMA itself and how backups are done on students’ devices.
Mr Chan said a significant number of entry attempts to “unsavoury” sites are blocked each month by using such DMAs, which help ensure students’ cyber hygiene and wellness.
DMAs also let parents decide what type of device controls they want for their children, said Mr Chan, in response to Mr Patrick Tay (Pioneer) about whether MOE plans to reinstall DMAs in students’ devices.
“About three-quarters of parents will adopt the baseline default settings,” Mr Chan said. “The other quarter are split between some who want stricter controls and some who want less strict controls.”
Mr Gerald Giam (Aljunied GRC) asked if backups were done by MOE, to which Mr Chan explained that users are responsible for backing up their own devices and systems.
It is not possible for the system to back up individual portions of data all the time, because the individual users would need to decide what they want backed up, Mr Chan added.
He also said students’ screen time will have to be managed as technology, coupled with the best teaching practices, will continue to be used.
“If they use the screen time for educational purposes, are supervised and have constant interactions with adults, I think the effect is quite different from what we have described just now,” he said in response to Mr Christopher De Souza’s (Holland-Bukit Timah GRC) concerns about the dangers of devices for students, including access to gaming and pornography, and over-reliance on screen learning.
Mr Chan added that devices are not issued to primary school pupils, but can be used for educational purposes during group learning in primary schools.
Mr Chan said: “We have a few schools that have embarked on a trial (on) the more intensive use of learning devices in schools with the supervision of the teachers, and we are at the preliminary stage of looking at the experiences of these schools.”
The pilot of this trial, which ran from 2021 to 2022, looked at the impact of the use of devices on pupils’ learning and behaviour and involved five primary schools: Chua Chu Kang, Frontier, Junyuan, River Valley and Yio Chu Kang. It aimed to determine if primary school pupils would benefit from owning personal learning devices.
Mr Chan said his ministry has decided that it will not be issuing personal learning devices to primary school pupils.
Source: Straits Times © SPH Media Limited. Permission required for reproduction.
1580