MOE takes legal action against contractors over Mobile Guardian cybersecurity breach

SINGAPORE: The Ministry of Education (MOE) has taken legal action against “relevant contractors” following a Mobile Guardian cyberattack that affected 13,000 users from 26 secondary schools.
About one in six of the affected users lost some data due to the cybersecurity breach suffered by the device management app, Minister for Education Chan Chun Sing said in parliament on Tuesday (Sep 10).
Less than 5 per cent were unable to recover all their data as their devices had not been backed up before the Aug 4 breach, he added.
Mr Chan was responding to questions raised by Members of Parliament (MPs) about what MOE has done to prevent similar incidents from recurring and about the support given to students.
After the August attack, MOE “embarked on the systematic removal” of Mobile Guardian from all iPads and Chromebooks the next day, said the minister.
MOE said it requires its IT service providers to keep its systems and data safe.
The ministry’s forensic investigations with GovTech and the Cyber Security Agency of Singapore (CSA) into the incident found that there was a new vulnerability in Mobile Guardian’s system that could allow an individual to carry out an attack.
“This is a timely reminder that cyber threats can evolve quickly,” he said.
“While no security test can be entirely exhaustive, MOE expects its contractors to regularly assess and strengthen their systems’ security posture.”
The ministry has decided to stop using Mobile Guardian in all personal learning devices and is currently studying options for an alternative device management app. 
It said it would work towards rolling out the new app by January next year.
On Monday, CNA reported that MOE had terminated its contract with Mobile Guardian and was considering other options. 
Prior to the Aug 4 incident, Mobile Guardian suffered a data breach in April due to poor password management practice. A glitch was also reported in July due to human error.
The 13,000 personal learning devices that were remotely wiped out represented about 8 per cent of devices used by the secondary school population.
MOE deployed 300 additional IT engineers and staff to help students, and provided instruction sheets to those who wanted to troubleshoot on their own. All devices were restored for use last month.
Schools provided hardcopy resources and supported students who were emotionally affected, said Mr Chan.
Deadlines were extended and weighted assessments were postponed where needed, he added.
At the school level, adjustments have been made according to the school’s specific circumstances and needs.
For national exams, special adjustments were made for fewer than 60 students because their preparation for a particular subject was done on their iPads.
“Through this episode, it was most heartening to see many of our students step forward and proactively share their personal notes with classmates and organise study sessions to do revision for their tests and exams together,” he said.
Despite the “highly unfortunate” incidents, MOE must embrace technology in teaching and learning so that students will be digitally savvy and able to navigate digital environments.
“All of us can learn from this incident. It is an important reminder for all of us to practice good digital hygiene, including the regular backing up of information,” the minister added.
Mr Chan also responded to a question from MP Tan Wu Meng (PAP-Jurong) about whether MOE is working to ensure that contractors are held to the same standards of cybersecurity that government networks are required to meet.
The attack surface is “wide” and it is not possible to “defend everywhere with the same resources, with the same level of focus”, he said.
“In the military, there’s a saying that if you defend everywhere, you defend nowhere … We will have to prioritise our resources to see where are the most critical areas that we need to defend and invest more resources on them,” he added.
At the national level, critical information infrastructure gets the most resources, and the level of security in other areas would vary depending on the system, said Mr Chan, describing it as a tiered and risk-based approach.
It would not be practical to try to achieve the same level of security for all systems, he said.