Probe into Mobile Guardian data breach incident and impact on cybersecurity measures for schools apps

Name and Constituency of Member of Parliament

Dr Tan Wu Meng, Jurong GRC

Question

To ask the Minister for Education (a) what is the respective installed user base of (i) students and (ii) school staff, who are using Mobile Guardian's mobile device management application in schools; (b) whether the user management portal being compromised at the Mobile Guardian overseas headquarters has allowed remote reconfiguration of access privileges on user devices, including microphone and/or camera activation with screen sharing and remote access; and (c) whether the potential vulnerabilities differ across iOS and Android devices.

Name and Constituency of Member of Parliament

Dr Wan Rizal, Jalan Besar GRC

Question

To ask the Minister for Education following the recent data breach involving the Mobile Guardian app (a) what enhanced review and oversight mechanisms is the Ministry implementing to ensure the cybersecurity of apps and technology used in schools; and (b) whether the Ministry is planning any collaboration with cybersecurity experts to routinely assess such measures.

Name and Constituency of Member of Parliament

Assoc Prof Jamus Jerome Lim, Sengkang GRC

Question

To ask the Minister for Education (a) whether the Ministry has been informed of any identifiable lapses in data security practices that resulted in the breach of Mobile Guardian's user management portal that affected 127 schools; (b) whether there are more schools, than the reported 127 schools, that utilise the application; (c) how many parents and students were affected in total; and (d) what actions will the Ministry pursue to hold the external data vendor, and others providing such services, accountable.

Name and Constituency of Member of Parliament

Mr Don Wee, Chua Chu Kang GRC

Question

To ask the Minister for Education (a) how does the Ministry ensure that the personal learning devices that it issues are equipped with the latest security software and are regularly updated to filter out harmful internet content; and (b) how does the Ministry ensure that its IT vendors are adequately certified and trained to conduct the appropriate support and checks.

Name and Constituency of Member of Parliament

Ms Joan Pereira, Tanjong Pagar GRC

Question

To ask the Minister for Education (a) what measures will the Ministry implement to protect the students, parents and teachers in Singapore who are affected by the breach at the Mobile Guardian overseas headquarters from online harm and scams; and (b) how will the Ministry review and strengthen its online systems to reduce the risk of hacking.

Name and Constituency of Member of Parliament

Dr Wan Rizal, Jalan Besar GRC

Question

To ask the Minister for Education in response to the data breach of Mobile Guardian's user management portal (a) what policy changes are being considered for the governance of third-party service providers handling sensitive personal data; and (b) whether he can outline improvements in incident management and response strategies for such future incidents.

Name and Constituency of Member of Parliament

Dr Wan Rizal, Jalan Besar GRC

Question

To ask the Minister for Education how does the Ministry plan to enhance transparency and communication with parents and the public regarding data security measures and handling of data breach incidents for technologies deployed on educational platforms.

Response

1. This response addresses Oral Question Numbers 25 - 27 and Written Question Numbers 28 - 31 filed for 7 May Parliament Sitting.

2. Members have asked MOE about the data breach incident caused by unauthorised access to Mobile Guardian's management portal, how MOE has supported affected parties, and the steps MOE has taken since the incident.

3. Let me first provide some information on Mobile Guardian. Mobile Guardian, or MG for short, is one of two companies engaged by MOE to provide Device Management Application (DMA) solutions on Personal Learning Devices used by students. The DMA helps schools and parents manage students' device use. For example, parents can use the DMA to set screen time limits on their child's personal learning device.

4. The use of MG's DMA for Chromebooks and iPads was decided through an open tender in 2020. The company holds the ISO27001 certification, an internationally recognised standard for information security management systems, and is engaged by over 2,500 schools in over 50 countries worldwide.

5. Let me now talk about MG's management portal, which experienced an incident of unauthorised access. The management portal is used for administrative purposes such as account licensing and providing technical support. The management portal has access to the following information: Name of user, Email address, Time zone, School name and the user role i.e. whether the user is a parent or school staff.

6. MG's management portal does not have the ability to change any configuration on students' personal learning devices. It is also not connected to any MOE or Government IT systems. Hence MOE and Government IT systems have not been compromised.

7. On 12 April, MG received an email that an unauthorised individual had gained access to MG's management portal. This email was considered a phishing email, until MG received a subsequent email on 16 April. In the second email, the individual showed evidence of access to MG's management portal and attempted to solicit money in exchange for keeping silent that the individual had been able to access MG's management portal. MG acted on this second alert, and worked to establish the extent of access and customers affected. This included suspending all administrative accounts that could be used to access MG's management portal.

8. MOE was notified by MG on 17 April late night of this incident, as well as the enhanced security measures implemented by MG on its management portal. MOE learned from MG's preliminary investigations that an unauthorised individual had gained access to a support account on MG's management portal. MG's assessment was that the unauthorised individual could have used the compromised account to view the information of customers based in the United States and Asia Pacific region, including Singapore.

9. CSA and GovTech supported MOE in the investigation of the incident.

10. MG had assessed that the compromised support account was primarily attributed to poor password management practice, and not the result of the unauthorised individual exploiting vulnerabilities in MG's systems.

11. Nevertheless, MOE conducted security checks and found no suspicious activity on MOE's DMA portal nor any indications that MOE's DMA had been compromised.

12. As a proactive measure, MOE decided to communicate with all users whose names and email addresses can be accessed by the MG management portal. These comprised about 67,000 parents and 22,000 school staff across 127 schools. These are parents who had signed up to manage the DMA functions in their child's personal learning device at home, and school staff who use the DMA to manage students' personal learning devices in schools.

13. MOE sent an email to all of them on the evening of 19 April. In the email, we explained to them what the leaked information could be used for so that they can be more prepared if they encounter phishing or scam attempts. We also lodged a police report on this incident.

14. MOE takes a serious view of this incident. Our IT service providers are contractually obligated to take reasonable measures to protect personal data against loss and unauthorised access. MOE has registered our deep dissatisfaction with MG over this incident. We have asked MG to appoint a forensic investigator to evaluate its systems and processes, and provide recommendations to prevent a recurrence. Investigations are ongoing. Appropriate actions will be taken should there be breaches of contractual obligations.

15. To safeguard our IT systems, MOE conducts independent audits and regular cybersecurity testing. We will continue to place emphasis on user education and ongoing vigilance to ensure that our IT systems remain secure.