Singapore’s Ministry of Law confirms data breach of borrower data

On Thursday, the Singapore Ministry of Law (MinLaw) confirmed a data breach involving borrower data of 12 licensed moneylenders (LMLs) who had engaged Ezynetic Pte Ltd (Ezynetic), a third-party IT vendor.

This confirmation follows a report by hackers identifying themselves as GhostR, who claimed responsibility for the breach involving data managed by the Moneylenders Credit Bureau (MLCB) and Credit Bureau (Singapore) Pte Ltd (CBS).

MLCB serves as a central repository for borrowers’ loan and repayment histories with licensed money lenders in Singapore, and its reports are crucial for assessing creditworthiness and preventing excessive borrowing. CBS, a subsidiary of SGX-listed Credit Bureau Asia (CBA), operates the MLCB system.

GhostR stated in an email that they had informed MLCB and CBS about the data compromise on 28 June 2024.

However, according to GhostR, both organizations failed to respond or negotiate the safety of the sensitive data. In retaliation, GhostR decided to publicly leak the first 10,000 MLCB reports on a popular hacking forum.

The breach, which allegedly took place on 14 June 2024, has compromised 54.6GB of data, including 324,362 MLCB reports of individuals in Singapore.

The leaked reports contain detailed personal and financial information, including:

• Borrower’s personal information, such as name, ID number, or Unique Entity Number (UEN).
• Loan information, including loan type, tenure, principal loan amount, and total amount payable to the legal money lender.
• Payment and repayment status, listing all outstanding loans and the repayment history of each loan.
• Loan guarantor’s status, reflecting the guarantor or surety’s legal responsibility for any unpaid loans.

Gutzy reached out to MLCB and CBS for confirmation and a response to the breach but did not receive any replies.

In what seems to be a post-event preventive measure, both MLCB and CBS have restricted access to their websites from foreign IP addresses, blocking features for users accessing from outside Singapore.

The exposed data could potentially lead to identity theft, fraud, and other financial crimes, putting affected individuals at substantial risk. .

In a press release on Thursday, MinLaw provided details about the breach, confirming that Ezynetic’s system was accessed by a malicious actor, compromising the personal identifiable information of an estimated 128,000 clients of the 12 LMLs.

The 12 LMLs whose data was compromised are:

1. Ban King Credit (S) Pte Ltd,
2. Credit 21 Pte Ltd,
3. Lending Bee Pte Ltd,
4. Katong Credit Pte Ltd,
5. Credit Thirty3 Pte Ltd,
6. GS Credit Pte Ltd,
7. 1AP Capital Pte Ltd,
8. Creditmaster Pte Ltd,
9. BST Credit Pte Ltd,
10. U Credit (Pte) Ltd,
11. Horison Credit Pte Ltd, and
12. Credit Matters Pte Ltd

The data of the remaining 8 LMLs who use Ezynetic’s services was not affected, said the ministry.

MinLaw emphasized that Ezynetic’s system is not hosted on or linked to the Government’s network.

“The 12 LMLs and Ezynetic have made reports to the Police, the Cyber Security Agency of Singapore (CSA), and the Personal Data Protection Commission (PDPC). The LMLs have also begun notifying their borrowers of the breach and have reminded them to stay vigilant against possible phishing scams.”

As a containment measure, CBS has restricted access to the MLCB platform for all 20 LMLs served by Ezynetic.

“MLCB’s online functions remain fully available to the other 133 LMLs in Singapore. Borrowers with queries may reach out to their respective LMLs for more information.”

MinLaw, as the regulator of LMLs, takes a serious view of the data breach and stressed that the LMLs have a duty to protect any information in their possession or control, including information residing on their third-party vendor systems.

“MinLaw is investigating the matter with CSA and PDPC. MinLaw is also in close contact with CBS to support affected LMLs’ business recovery efforts.”