Multiple Singapore lenders data breached and 128k customers exposed in third party breach

A data breach is reported involving the personal information of approximately 128,000 borrowers linked to 12 licensed moneylenders in Singapore. The breach was the result of a cyberattack on Ezynetic, a third-party IT vendor that provided services to moneylenders.

The attack was orchestrated by a hacker group known as GhostR, which claimed to have stolen 54.6 GB of data. GhostR provided proof of their claims by leaking copies of completed loan applications and borrower credit reports.

The breach affected the following licensed moneylenders:

1. Ban King Credit
2. Credit 21
3. Lending Bee
4. Katong Credit
5. Credit Thirty3
6. GS Credit
7. 1AP Capital
8. Creditmaster
9. BST Credit
10. U Credit
11. Horison Credit
12. Credit Matters

The exposed data includes:

• Names
• Identification numbers or Unique Entity Numbers (UEN)
• Loan information (loan type, tenure, principal amount, total payable amount)
• Payment and repayment status
• Employment details
• Income details
• Loan guarantor's status

The affected moneylenders and Ezynetic promptly reported the incident to the Police, the Cyber Security Agency of Singapore (CSA), and the Personal Data Protection Commission (PDPC). They also began notifying the affected borrowers, advising them to be vigilant against potential phishing scams.

Credit Bureau of Singapore (CBS) restricted access to the Moneylenders Credit Bureau (MLCB) platform for all 20 firms using Ezynetic's services, ensuring no further data could be compromised.

GhostR has threatened to release more data if their demands are not met, claiming they have detailed information on 324,362 individuals. They have indicated that negotiations are ongoing with some companies, while others have refused to respond.