SINGAPORE - IT vendor Ezynetic has been fined $17,500 for failing to protect its clients’ data, which resulted in more than 190,000 individuals’ personal data being stolen and put for sale on the Dark Web.

Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website.

At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.

Enzynetic’s affected clients –

previously identified

as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters – would input personal data of their prospective loan applicants and borrowers into the money lending system.

This would allow them to verify the applicants’ and borrowers’ loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments.

In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic’s system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals.

The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024.