Schools will remove app from students’ Chromebooks and iPads following security breach

Back of Apple iPad Air on dark fabric background

Adam Breeden/ZDNET

A device management app will be removed from Chromebooks and iPads used in Singapore schools after 13,000 students had their data remotely wiped by a cyberattacker. 

The breach was part of a cybersecurity incident that impacted global customers of device management vendor Mobile Guardian, which platform is used to limit access to screen time or restricted apps and websites. 

Singapore’s Ministry of Education (MOE) said it was informed on Sunday night that some students were unable to access data and apps stored on their personal learning devices. These included Apple iPad tablets and Chromebooks. 

Also: 9 top mobile security threats and how you can avoid them

Mobile Guardian then was alerted and, following its investigations, uncovered a breach involving unauthorized access to its platform. The incident affected its clientele worldwide including users in Singapore, MOE said in a statement Monday. 

The ministry added that preliminary checks revealed 13,000 students from 26 secondary schools had their devices remotely wiped by the perpetrator, but there was no indication the students’ files had been illegally accessed.

As a “precautionary measure,” MOE said the Mobile Guardian app will be pulled from all iPads and Chromebooks. “Efforts are underway to safely restore these devices to normal usage,” the ministry said, adding that it also was considering “other mitigating measures” to regulate device usage during this period.

The latest incident follows a recent one last month, during which students in several schools experienced issues connecting to the internet or received error messages. This July incident was due to a human error in configuration by Mobile Guardian, according to MOE. 

Also: Who needs ransomware when a faulty software update can shut down critical infrastructure?

However, the education ministry in April said it was informed of a breach involving unauthorized access to Mobile Guardian’s management portal. The portal was used for administrative purposes, such as providing technical support and account licensing, and had access to various user information, such as school name, time zone, and whether the user was a parent or school staff.  

Names and email addresses of parents and academic staff from five primary and 122 secondary schools were compromised in the security breach, MOE said at the time. It added that a police report was lodged and that Mobile Guardian had implemented additional security measures, such as implementing a lockdown of all its administrative accounts. 

In its reply later in May to parliamentary questions on the security breach, MOE said the Mobile Guardian management portal did not have the ability to change configuration on the students’ devices or connect the ministry’s or other government IT systems. 

Also: Singapore’s guidelines to bolster mobile app security are optional – for now

Mobile Guardian’s device management platform is used by more than 2,500 schools in 50 countries, MOE said, adding that the vendor held an ISO27001 certification, which is an international standard for information security management systems. 

Mobile Guardian in 2020 won MOE’s tender as the appointed vendor of mobile device management services for ChromeOS and iOS devices used in Singapore schools. 

READ MORE HERE