https://www.straitstimes.com/singapore/credit-reports-among-personal-data-of-190000-breached-put-for-sale-on-dark-web-it-vendor-fined

IT vendor Ezynetic was fined $17,500 for failing to protect its clients’ data.

The clients have had their “personal identifiable information” stolen, said the Ministry of Law in a statement on July 25.

SINGAPORE - IT vendor Ezynetic has been fined $17,500 for failing to protect its clients’ data, which resulted in more than 190,000 individuals’ personal data being stolen and put for sale on the Dark Web.

Ezynetic had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control, the Personal Data Protection Commission (PDPC) said on July 3 via a statement on its website.

At the time of the breach, which Ezynetic uncovered on June 24, 2024, the company was operating an IT system linked to the Moneylenders Credit Bureau platform operated by Credit Bureau Singapore.

Enzynetic’s affected clients –

previously identified

as moneylenders Ban King Credit, Credit 21, Lending Bee, Katong Credit, Credit Thirty3, GS Credit, 1AP Capital, Creditmaster, BST Credit, U Credit, Horison Credit and Credit Matters – would input personal data of their prospective loan applicants and borrowers into the money lending system.

This would allow them to verify the applicants’ and borrowers’ loan eligibility, generate MLCB credit reports and profit and loss reports, as well as track loans, instalments, collections and payments.

In a judgment, the PDPC said that investigations found that a threat actor had exploited a vulnerable web service application to gain access and control of Ezynetic’s system administrator account to access the money lending system. After gaining access to the money lending system, the threat actor obtained the personal data of the affected individuals.

The data stolen included a combination of the name, address, e-mail address, telephone number, NRIC number, date of birth and the financial information available in the MLCB credit reports of 190,589 individuals. These individuals were notified of the incident on July 1, 2024.

The pavilion ward block that will be retained.

The pavilion ward block that will be retained.

Iran's Supreme Leader Ayatollah Ali Khamenei attends a ceremony to mark Ashura, the holiest day on the Shi'ite Muslim calendar, in Tehran, Iran, July 5, 2025. Office of the Iranian Supreme Leader/WANA (West Asia News Agency)/Handout via REUTERS

Iran's Supreme Leader Ayatollah Ali Khamenei attends a ceremony to mark Ashura, the holiest day on the Shi'ite Muslim calendar, in Tehran, Iran, July 5, 2025. Office of the Iranian Supreme Leader/WANA (West Asia News Agency)/Handout via REUTERS

FILE PHOTO: Elon Musk speaks during a press conference with U.S. President Donald Trump (not pictured), at the White House in Washington, D.C., U.S., May 30, 2025. REUTERS/Nathan Howard/File Photo

FILE PHOTO: Elon Musk speaks during a press conference with U.S. President Donald Trump (not pictured), at the White House in Washington, D.C., U.S., May 30, 2025. REUTERS/Nathan Howard/File Photo

PDPC, which was informed of the incident on June 26, 2024, said its investigations revealed that Ezynetic had failed to disable or adequately secure the system administrator account, which is often targeted by malicious users.