School's data breach spooks students

Ex-students from Xinmin Secondary School received a shock yesterday when they found out that their alma mater had suffered a data breach.

Several told The New Paper they received calls from their former school yesterday, informing them that their names and identity card numbers had been leaked on pastebin.com, self-described as "where you can store any text online for easy sharing".

When contacted, the school confirmed the incident, saying it was alerted on Sept 28 this year to a data breach of its students' personal information on the file-sharing website.

It immediately contacted the website to remove the information and filed a police report.

The school also contacted students to advise them against using their IC numbers as passwords.

It declined to reveal how many students were affected, but one former student said she was told that the 2014 cohort was the affected batch.

Another affected student, Mr Lim Li Ping, 19, said he was shocked and scared by the news.

The polytechnic student said: "You never think you would be a victim of such a crime.

"I thought our records were deleted, since we have graduated."

Miss Belynda Hoi, also 19 and a university student, was upset.

"Nobody wants their personal data to be leaked this way, published on a website that I do not even know about," she said.

Others, such as Mr Ching Ming Yang, 19, a full-time national serviceman, were less surprised.

Mr Ching said: "I expected something like this to happen since data breaches are so prevalent in this day and age."

MISUSE

But he is still worried about the misuse of his information.

Just this month, the Personal Data Protection Commission outlined laws to tighten the collection of IC numbers, citing concerns that indiscriminate collection of such data might be used for illegal activities.

Xinmin's incident comes less than two months after a website for an art competition by Meridian Secondary School was hacked.

Separately and earlier this year, news emerged that the National University of Singapore (NUS) had suffered a breach a year ago that leaked the particulars of 143 student volunteers.

The leaks, including the latest one, raise the question of whether schools are prepared for Singapore's push to be a smart nation.

Mr Clement Lee, principal consulting security architect for cyber security firm Check Point Software Technologies, said: "Most attackers will not target schools because there is usually no money to be made, but of course this is still a concerning issue."

He suggested that the relevant authorities can push through rules and regulations, such as mandatory firewalls and encryption, to ensure that systems are better protected.

In a response to queries from TNP, the Ministry of Education said it has "stepped up efforts to work with schools and ensure that their security measures continue to be effective".

Although Xinmin Secondary School told students that their leaked particulars were taken down in a day, Mr Ching is sceptical.

He said: "Nothing can be removed from the Internet once it is out there."