Cyber Incident Victim: i-vic International
Date:
Nov 2018
Location:
Singapore
Summary
A malware infection in a third-party vendor's employee email account led to unauthorized access compromising personal data of approximately 30,000 individuals affiliated with a Singaporean job-matching service. The breach exposed names, national identification numbers, contact details, educational qualifications, and employment histories of participants who engaged with the organization’s events or services over an extended period. The affected entity collaborated with the vendor to assess the incident’s scope, implement enhanced security measures for email and network systems, and conduct ongoing vulnerability checks. Authorities including law enforcement and data protection agencies were notified, while impacted individuals received direct notifications. The organization emphasized reviewing vendor cybersecurity standards to mitigate future risks despite the attack not directly targeting its infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The security breach impacting Singapore's Employment and Employability Institute (e2i) was disclosed on April 5, 2021, following e2i's notification on March 12, 2021, that a third-party vendor's systems had been compromised. The incident involved unauthorized access to personal data of approximately 30,000 individuals who had participated in e2i events or used its services between November 2018 and March 12, 2021. Affected activities included job fairs, employability workshops, and career coaching sessions organized by the government-linked job-matching institute. The breach originated from a malware infection in the email account of an employee at i-vic International, a vendor contracted by e2i to process personal data for employability services. This compromise enabled attackers to access the mailbox containing sensitive information such as full names, national identification numbers, contact details, educational qualifications, and employment histories.
e2i reported the incident to Singaporean authorities including the police, Personal Data Protection Commission (PDPC), and Cyber Security Agency's Singapore Computer Emergency Response Team (SingCERT). The organization collaborated with i-vic to conduct forensic investigations, which determined the malware's impact scope and led to enhanced security measures for the vendor's email and network systems. e2i acknowledged a three-week delay in public disclosure, attributing this to the complexity of assessing the breach's impact across systems containing data spanning over two years. Mitigation efforts included implementing constant security checks on both e2i's and i-vic's infrastructure to identify vulnerabilities. Affected individuals received notifications through email, SMS, or phone calls. e2i CEO Gilbert Tan emphasized the incident underscored persistent cybersecurity threats despite the malware not directly targeting e2i's systems, prompting a planned review of all vendor cybersecurity standards to prevent future breaches.