Three weeks past the incident on March 12, Employment and Employability Institute (e2i), a job-matching organization from Singapore, notified its customers of a data breach in which the personal details of 30,000 individuals may have been illegally accessed.
E2i is an initiative of the National Trades Union Congress (NTUC), the country’s only trade union confederation. It has a platform that connects employers and workers providing various services like job-matching, skills training, and career guidance.
The data leak happened due to a malware attack that targeted an “appointed third-party vendor,” according to the organization. Personal details of 30,000 individuals in Singapore may have been stolen by bad actors. The job-matching organization notified the third-party vendor about the incident three weeks ago on March 12.
The institute said the relevant authorities had been notified of the breach as well, including the police, Cyber Security Agency’s Singapore Computer Emergency Response Team, and Personal Data Protection Commission (PDPC).
According to the institute, malware had infected the email account of an employee at the third-party vendor i-vic International. Hackers gained unauthorized access to the mailbox and personal data of the affected 30,000 customers. The data included names, contact information, identification numbers, educational qualifications, and employment history.
The company revealed all the affected users had participated in events organized by e2i or used its services between November 2018 and 12 March 2021. The events may have included including job fairs, career coaching, and employability workshops. E2i shared its customers’ personal with appointed vendors for “relevant employability services purposes.”
When explaining why it took more than three weeks to announce the breach, e2i said in a statement on Monday that, given the “complexity” of investigations into the incident, it had “taken time” to assess the impact of the attack.
E2i said jointly with i-vic they determined the extent of the data breach and deployed “mitigation measures” to bolster the security of i-vic’s email and network systems.
“Although the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us,” the institute’s CEO Gilbert Tan said in the statement.
The organization promised it would review the cybersecurity standards of its vendors to prevent such breaches in the future.