Ezynetic fined $17,500 over massive data breach exposing 190,000 individuals' information

IT service provider Ezynetic has been fined S$17,500 for failing to implement adequate cybersecurity measures, resulting in the theft and online sale of sensitive personal data belonging to more than 190,000 individuals. The Personal Data Protection Commission (PDPC) announced the penalty in a public statement, citing Ezynetic’s breach of its obligations under the Personal Data Protection Act (PDPA).

The breach, uncovered by Ezynetic on June 24, 2024, exposed names, addresses, contact details, NRIC numbers, dates of birth, and financial information of 190,589 individuals. These details, extracted from Moneylenders Credit Bureau (MLCB) credit reports, were subsequently listed for sale on the Dark Web. The affected individuals were notified on July 1, 2024.

At the time of the incident, Ezynetic operated an IT system used by various licensed moneylenders, including Credit 21, Lending Bee, Credit Thirty3, and U Credit, among others. These firms entered loan applicants’ data into Ezynetic’s platform to generate credit reports and manage loan-related processes.

PDPC’s investigation found that a threat actor had exploited a vulnerable web application to gain control of Ezynetic’s system administrator account. This access allowed the attacker to infiltrate the money lending system and exfiltrate large volumes of personal data. Crucially, the administrator account was protected with weak passwords such as “p@ssword1” and “Password@1,” both easily susceptible to brute force attacks.

In addition, Ezynetic had not conducted routine vulnerability assessments or penetration testing, a basic cybersecurity measure especially critical for service providers managing sensitive financial data. The commission concluded that Ezynetic failed to implement reasonable security arrangements to protect data under its control.

In response to the breach, Ezynetic overhauled its entire IT infrastructure, migrated to a cloud-based environment, and engaged with the Cyber Security Agency of Singapore and the Ministry of Law to adopt enhanced cybersecurity protocols. It was also directed by PDPC to obtain the Cyber Trustmark Certification within nine months and report its completion within 14 days thereafter.

Ezynetic had attempted to appeal the fine following PDPC’s preliminary decision issued on December 2, 2024. The company argued for a reduction or waiver, citing ongoing business disruptions, financial burden, and its full cooperation during investigations. However, the PDPC rejected the appeal, stating that investments in remedial measures were part of the firm’s legal obligations and that its cooperation had already been factored into the penalty decision.

The commission emphasized that as a Software-as-a-Service (SaaS) provider, Ezynetic was expected to possess the technical competence necessary to safeguard customer data from evolving cybersecurity threats. If the firm fails to pay the S$17,500 penalty within 30 days from the issuance of the final notice, interest will accrue until the full amount is settled.