NTUC's e2i data breach puts 30k individuals' data at risk of exposure

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

NTUC's Employment and Employability Institute (e2i) has been involved in a data breach, putting personal data of approximately 30,000 individuals at risk. The company, which provides skills training and job matching services, said a malware had infected a mailbox belonging to an employee of e2i's appointed third-party vendor, i-vic International on 12 March. The data security incident may have then resulted in an unauthorised access to the affected mailbox that contained personal data of users who have used e2i's services.

The affected individuals are those who had participated in certain e2i’s events or utilised e2i’s services previously from November 2018 until 12 March 2021, e2i said. For instance, they attended a job fair, employability workshop or career coaching. According to the company, the potentially affected personal data may include names, NRIC, contact details, educational qualifications and employment details.

In a statement on its website, e2i said it has worked with the utmost urgency with the vendor to ascertain the nature and extent of personal data that has been potentially affected. The company immediately launched an investigation and reported the breach to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team. The third-party vendor involved in the incident also filed a police report for this incident. Additionally, e2i has followed up immediately with mitigation measures to tighten the security of email and network systems, and will be doing constant checks to monitor closely for any potential vulnerabilities. It will also be reaching out to the potentially affected individuals via email/SMS/phone call as well to inform them about the incident and to provide support on how best to manage the potential risks involved.

Gilbert Tan, CEO of e2i, said: “We are deeply sorry for the anxiety this data incident may bring to our clients. The protection of our clients’ personal data is of utmost importance to us. Though the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us." He added that e2i will be doing constant checks on both its systems and its vendors' IT systems. "I would like to assure that e2i’s operations, services and systems remain unaffected and job seekers can continue to seek employment and employability assistance with e2i," Tan said.

e2i is the latest company to be hit by a data breach. Just yesterday, personal data of 533 million Facebook users were found to have been leaked online. The compromised information include Facebook IDs, phone numbers, full names, birth dates, bios, and in some cases email addresses. According to Reuters, which quoted an unidentified leaker, the data is being offered for free. Following the breach, Facebook's director, strategic response communications, Liz Bourgeois, said in a tweet that the leaked data was old and previously reported in 2019. It also fixed the issue in August 2019. Despite the fix, the data seems to have reemerged online.

The breach was discovered by Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock which works with companies including insurance firm At-Bay. According to Gal, 11,675,894 individuals in Malaysia were impacted, along with 3,073,009 in Singapore, 130,331 in Indonesia, and 2,937,841 in Hong Kong.

Separately earlier last month, Singapore Airlines was also embroiled in a data security incident, which found approximately 580,000 Singapore Airlines' KrisFlyer and PPS programme customers impacted due to a data breach from an external air transport information technology company. In a statement to MARKETING-INTERACTIVE then, a spokesperson from SIA said details such as membership number, tier status and membership names were revealed. Credit card information, passwords, travel itineraries, passport details and email addresses were however not compromised.

share on