Third-party security breach compromises data of Singapore job-matching service

Job-matching institute e2i says the personal details of 30,000 individuals may have been illegally accessed due to a malware breach that targeted an "appointed third-party vendor", adding that it was notified of the incident three weeks ago on March 12.
Written by Eileen Yu, Senior Contributing Editor

Personal details of 30,000 individuals in Singapore may have been illegally accessed, following a security breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). It was notified of the incident three weeks ago on March 12. 

It added that the relevant authorities had been notified of the breach, including the police, Personal Data Protection Commission (PDPC), and Cyber Security Agency's Singapore Computer Emergency Response Team.

E2i's platform brings together employers and workers, offering various services that include job-matching, skills training, and career guidance. The institute is an initiative of the National Trades Union Congress (NTUC), the country's only trade union confederation that comprises, amongst others, 59 unions and five associations. NTUC's core committee includes Members of Parliament Koh Poh Koon and Heng Chee How. 

Users affected by the breach had participated in events organised by e2i or used its services between November 2018 and 12 March 2021, including job fairs, employability workshops or career coaching. Their personal data were shared with appointed vendors for "relevant employability services purposes", the institute said. 

E2i did not elaborate on why it took more than three weeks to announce the breach, but said in its statement Monday that it had "taken time" to make an impact assessment given the "complexity" of investigations into the incident. 

It noted that a malware had infected the email account of an employee at the third-party vendor, i-vic International, leading to the unauthorised access of the mailbox, which had personal data of the affected 30,000 individuals. These details included names, identification number, contact information, educational qualifications, and employment history. Affected individuals would be notified via email, SMS, or phone, it added.

E2i said it had worked with i-vic to determine the extent and nature of the data breach, and deployed "mitigation measures" to beef up the security of the latter's email and network systems. E2i added that "constant checks" would be carried out on both its system as well as the third-party vendor's to identify any further potential vulnerabilities. 

"Although the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us," the institute's CEO Gilbert Tan said in the statement. 

It added that it would review the "cybersecurity standards of our vendors" to prevent further breaches.

The latest incident was one of several third-party breaches to have impacted local organisations this year, compromising personal data of 580,000 Singapore Airlines' frequent flyer members and 129,000 Singtel customers


Editorial standards