The Ministry of Law (MinLaw) has confirmed a data breach involving the borrower data of 12 licensed moneylenders (LMLs) using the services of Ezynetic Pte Ltd (Ezynetic), a third-party IT vendor they engaged.

According to the press release on Jul. 25, data was leaked after Ezynetic’s system, which is not hosted on or linked to the Government’s network, was accessed by a malicious actor.

The data contains personal identifiable information belonging to an estimated 128,000 clients of the 12 LMLs.

According to MinLaw, the 12 LMLs whose data was compromised are:

• Ban King Credit (S) Pte Ltd
• Credit 21 Pte Ltd
• Lending Bee Pte Ltd
• Katong Credit Pte Ltd
• Credit Thirty3 Pte Ltd
• GS Credit Pte Ltd
• 1AP Capital Pte Ltd
• Creditmaster Pte Ltd
• BST Credit Pte Ltd
• U Credit (Pte) Ltd
• Horison Credit Pte Ltd
• Credit Matters Pte Ltd

The data of another eight LMLs who use Ezynetic’s services was not affected, MinLaw said.

MinLaw stated that the 12 LMLs and Ezynetic have made reports to the Police, the Cyber Security Agency of Singapore (CSA) and the Personal Data Protection Commission (PDPC).

The LMLs have also begun notifying their borrowers of the breach and have reminded them to stay vigilant against possible phishing scams, MinLaw added.

What's leaked

Mothership has seen some of the leaked documents, which include borrower credit reports.

Each of these reports has the full personal details of the borrower, the person's employment, income, loan status and payment history.

Containment measures

In a statement on Jul. 25, the Credit Bureau (Singapore) Pte Ltd (CBS), which is the designated credit bureau that operates the Moneylenders Credit Bureau (MLCB) platform, said it "promptly initiated an investigation" once it was alerted of the alleged data leak.

CBS said it "ascertained that the MLCB has not been compromised".

CBS said concerned consumers can reach out to its MLCB hotline at +65 6335 5897 or [email protected].

As a containment measure, MinLaw said that CBS has restricted access to the platform for all 20 LMLs served by Ezynetic.

MLCB’s online functions remain fully available to the other 133 LMLs in Singapore. Borrowers with queries may reach out to their respective LMLs for more information.

MinLaw said:

"MinLaw as regulator of LMLs takes a serious view of the data breach. The LMLs have a duty to protect any information in its possession or control.

This includes information residing on their third-party vendor systems."

MinLaw is investigating the matter with CSA and PDPC and is in close contact with CBS to support affected LMLs’ business recovery efforts.

Top photos from MinLaw Facebook & Canva