image

Alert! App managing student devices in 127 schools hacked; names and e-mail addresses leaked

The names and e-mail addresses of parents and teachers of 127 primary and secondary schools were leaked after a mobile platform on students’ personal learning devices was hacked, said the Ministry of Education (MOE) on April 19.

Mobile Guardian’s user management portal was compromised at its headquarters by an incident of unauthorised access, which led to the leak of names and e-mail addresses of parents and teachers from five primary schools and 122 secondary schools, said MOE in a statement on its website.

That means about a third of all primary and secondary schools in Singapore were affected by this leak.

The Mobile Guardian app, which is installed on personal learning devices including Chromebook laptops and Apple’s iPad tablets, helps parents manage their children’s device use and restrict specific websites, apps and screen time.

The parents and teachers whose personal information may have been leaked will be notified, said MOE. It added that they should remain vigilant against any phishing e-mails that may be sent to them.

If parents have not received e-mails, it means they have not been affected by the leak, the statement said.

In an e-mail sent to affected parents and seen by The Straits Times, the directors of the MOE Digital Workspace for Schools and Learning Partnership in Educational Technology said the leaked information included the first and last names of parents, their e-mail addresses, the school the students attend, the time zone they are in, as well as whether a person is a parent or a staff member.

According to the e-mail, the five primary schools affected were involved in the pilot on pupils’ use of personal learning devices. MOE said its own device management platform was not compromised and remains available for parents’ use on the students’ ChromeOS or iOS learning devices.

In response to queries, an MOE spokeswoman said those affected by the hack were school staff members with access to device management functions on the app, as well as parents who had signed up to use Mobile Guardian on Chromebook laptops and Apple’s iPad tablets.

Schools using other devices are not affected, and will not be receiving any e-mails linked to the hacking, she said.

MOE, she added, was notified by Mobile Guardian about the leak on April 17, and MOE has lodged a police report. It also expressed its concerns to the device management software firm.

Mobile Guardian – a software company headquartered in Surrey, Britain, with offices in the US and South Africa – has locked down its administrative accounts and is conducting investigations to find out how the leak may have occurred.

In response to queries, Mobile Guardian said in a statement that its investigations found that there was an unauthorised entry into its systems using an administrative account on its management portal.

“The account was immediately suspended and a thorough forensic analysis was initiated to identify any data that may have been accessed,” the statement added.

It added that Mobile Guardian is in touch with MOE and that it apologises for the breach.

In an undated statement on its website, Mobile Guardian said it was alerted on April 12 “via e-mail by the intruder to the unauthorised entry”.

The e-mail was flagged as a spam or a phishing attempt until another alert was received on April 16.

After verifying the nature and credibility of the threat, Mobile Guardian informed its clients. User accounts records in the United States were also accessed in the incident, the statement said.

“Note that no student’s personal data was accessed during the breach,” it added.

Only surface-level data was accessed due to the data management practices it employs, it said. “As such, all passwords are encrypted and are therefore not stored in a readable format, and so have not been compromised.”

However, Mobile Guardian said, due to the nature of the data accessed, there is a “limited risk of fraudulent activity resulting from those users affected”.

It added that it can confirm that no other data has been compromised.

Mobile Guardian said it is working closely with stakeholders to investigate the vulnerabilities that led to the leak, and has put in place further security measures to strengthen its systems and prevent similar incidents in the future.

It was appointed MOE’s official mobile device management services vendor in November 2020.

MOE conducted a study between 2021 and 2022 on the use of personal learning devices in primary schools and pupils’ learning. The pilot involved five primary schools: Chua Chu Kang, Frontier, Junyuan, River Valley and Yio Chu Kang.