Cyber Incident Victim: Ezynetic
Date:
Jun 2024
Location:
Singapore
Summary
A cybersecurity breach at third-party IT vendor Ezynetic compromised personal identifiable information of approximately 128,000 borrowers from multiple licensed moneylenders in Singapore. The incident affected twelve moneylenders utilizing Ezynetic's services, though the compromised system was unrelated to government networks. Credit Bureau Singapore restricted platform access for all twenty client firms as a precaution but confirmed its central repository remained secure, countering claims by hacker group GhostR of breaching the bureau. The affected moneylenders notified customers of potential phishing risks, while Ezynetic and the lenders reported the incident to law enforcement and cybersecurity authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 25, 2024, Singapore’s Ministry of Law disclosed a data breach affecting approximately 128,000 borrowers linked to 12 licensed moneylenders. The incident stemmed from unauthorized access to systems operated by Ezynetic, a third-party IT vendor hosting personal identifiable information for these lenders. Compromised data included borrower details stored within Ezynetic’s infrastructure, which was neither hosted on nor connected to government networks. The breach impacted Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit, and Credit Matters, representing 12 of the 20 licensed moneylender firms utilizing Ezynetic’s services. While the exact intrusion timeline wasn’t specified, media reports referenced June 14 as the date when hacker group GhostR allegedly obtained data, though these claims were later contested. The Ministry confirmed affected moneylenders initiated borrower notifications, advising vigilance against phishing scams. Ezynetic and all 20 client firms filed reports with Singapore police, the Cyber Security Agency of Singapore (CSA), and the Personal Data Protection Commission (PDPC).
Credit Bureau Singapore (CBS) implemented containment measures by restricting all 20 Ezynetic-linked moneylenders’ access to the Moneylenders Credit Bureau platform—a central repository for borrower loan and repayment records—to prevent further exploitation. CBS separately refuted media assertions that its central platform was compromised, clarifying that only Ezynetic’s third-party systems were breached and confirming the integrity of its own database. The Ministry of Law emphasized licensed moneylenders’ obligation to protect borrower data regardless of its storage location, underscoring the seriousness of the incident. CBS established a dedicated hotline and email channel for concerned customers while maintaining that no data residing directly within its systems was accessed. No technical specifics regarding the attack vector, duration of unauthorized access, or data exfiltration methods were disclosed by authorities or involved entities in the available reports.