• 10 July, 2025
• No Comments

Ezynetic Breach Exposes 190,000 Records: Lessons Every SaaS Vendor Must Learn

On 24–26 June 2024, the Personal Data Protection Commission (PDPC) discovered that Ezynetic Pte Ltd, a Software‑as‑a‑Service (SaaS) vendor for licensed moneylenders, had suffered a ransomware attack compromising servers storing personal loan applicant data. Approximately 190,589 individuals had their personal data stolen and listed for sale on the dark web following unauthorised access to Ezynetic’s systems.

Ezynetic admitted to inadequacies under Section 24 of the Personal Data Protection Act (PDPA), including weak password policies and the absence of periodic vulnerability or penetration testing. The PDPC imposed a hefty fine of S$17,500 and directed the company to obtain Cyber Trustmark certification. This incident highlights how rapidly cyber threats can materialise when critical protection obligations are neglected, even by those providing services to financial institutions.

The case of Ezynetic: A deep dive into what went wrong

Ezynetic’s moneylending system was integrated via APIs with the Moneylenders Credit Bureau (MLCB), enabling moneylenders to share and validate borrower data. The threat actor exploited a vulnerable web service, elevated privileges using a poorly secured system administrator (SA) account, deleted vital databases, and exfiltrated personal data.

Among the compromised information were names, NRIC numbers, email addresses, telephone numbers, dates of birth, and financial records, all of which are highly sensitive data that could easily be used for identity theft. This incident starkly illustrates how even a single vulnerable account or unpatched service can lead to systemic data exposure, with far-reaching consequences for individuals.

Investigations revealed that Ezynetic had neglected basic security practices: the SA account remained active with a weak password like “p@ssword1” and had no multi-factor authentication, and no vulnerability assessments or penetration tests were ever conducted.

These failures reflected disregard for PDPA Section 24(a), which obliges organisations to implement reasonable security measures such as strong passwords, access restrictions, and regular testing. For a SaaS provider handling sensitive data, these lapses were especially egregious and raised significant concerns over vendor cybersecurity standards in financial services.

Impact on affected individuals and institutions

The Ministry of Law (MinLaw) confirmed the breach’s widespread impact on borrower data belonging to 12 licensed moneylenders, affecting nearly 128,000 clients. While Ezynetic did not host the MLCB platform itself, its role as an intermediary made it a critical cybersecurity boundary. The disclosure of sensitive personal and financial data on the dark web poses long-term risks, leaving affected individuals susceptible to phishing, identity theft, and financial fraud. Moreover, licensed moneylenders now face reputational damage and may struggle to regain borrower trust.

Ezynetic’s transparency, admission of fault, and prompt notification of affected parties on 1 July 2024 met regulatory expectations. They also illustrate the importance of rapid incident response. However, compliance with regulations post-breach does not absolve organisations from having neglected their responsibilities in implementing preventative measures. The PDPC’s decision emphasises that reactive steps do not replace the need for proactive cybersecurity and data protection strategies prior to actual data breaches.

Regulatory response: Enforcement and follow‑through

Applying the Expedited Decision Procedure under PDPA Section 50(1), the PDPC accepted Ezynetic’s admissions and facts, issuing a preliminary S$17,500 fine, reflecting both the severity of the breach and the company’s relative cooperation. The organisation was also ordered to procure CSA’s Cyber Trustmark certification for its new infrastructure. This dual focus (financial penalty plus mandatory certification) reinforces both punitive and remedial elements of regulation.

In assessing the fine, the PDPC considered mitigating factors: Ezynetic’s cooperation, admission of liability, and first-time offence weighed against breaches in technical competence expected of a SaaS provider. Yet, the Commission made clear that technical shortcomings at the provider level cannot be overlooked because clients rely upon service providers to secure their systems. Ezynetic’s case serves as a precedent and a warning to all third-party vendors interfacing with sensitive financial data.

Lessons for organisations and the broader ecosystem

Firstly, strong password policies and identity controls cannot be optional. Ezynetic’s use of an SA account with a weak default password and no rotation is a textbook example of poor access management. For any organisation, especially SaaS vendors, password management and role-based access control must be enforced rigorously.

Secondly, periodic vulnerability assessments and penetration testing are not simply best practice. They are regulatory expectations under PDPA. Regular and comprehensive security testing helps organisations identify and rectify vulnerabilities before they are exploited by attackers. Ezynetic’s lack of routine assessments left the system vulnerable and exposed.

Thirdly, transparency and incident response planning matter greatly. Ezynetic contained the breach promptly and notified affected individuals swiftly, critical components that helped them receive leniency. However, as the PDPC highlighted, responsive action post-incident does not substitute proactive measures beforehand.

The Ezynetic breach is a vivid reminder that cybersecurity cannot be taken lightly, even or especially by service providers entrusted with sensitive financial data. It highlights fundamental failures in access control, vulnerability management, and incident prevention. Organisations, even small SaaS vendors, must enforce strong password policies, conduct regular testing, and implement layered security architectures, including appointing a qualified DPO, to meet PDPA obligations.

This case also demonstrates that regulatory bodies in Singapore will not hesitate to penalise firms that compromise personal data. The combination of financial penalties and mandated certification underscores that compliance is not optional, but is essential to business continuity and trust.

Moving forward, organisations should use the Ezynetic example as a catalyst for change. Audit your systems, evaluate third-party vendor risk, and implement a comprehensive cybersecurity programme. As cyber threats continue evolving, only continuous vigilance, robust technical controls, and regulatory alignment will safeguard data and maintain trust in Singapore’s digital economy.