Alleged hack of MLCB and CBS: Sensitive borrower data appears exposed
Hackers claim to have breached records from the Moneylenders Credit Bureau (MLCB) and Credit Bureau (Singapore), obtaining sensitive data from 324,000 MLCB reports. Gutzy reviewed the leaked data and confirmed its authenticity, but agencies have yet to respond to queries.
A hacker group identifying themselves as GhostR has claimed responsibility for a massive data breach involving the Moneylenders Credit Bureau (MLCB) and Credit Bureau (Singapore) Pte Ltd (CBS).
The breach, which allegedly took place on 14 June 2024, has compromised 54.6GB of data, including 324,362 MLCB reports of individuals in Singapore — locals and foreigners.
MLCB serves as a central repository for borrowers' loan and repayment histories with licensed money lenders in Singapore, and its reports are crucial for assessing creditworthiness and preventing excessive borrowing. It operates under the purview of Singapore's Ministry of Law (MinLaw).
CBS, a subsidiary of SGX-listed Credit Bureau Asia (CBA), operates the MLCB system under the designation of MinLaw.
GhostR stated in an email to The Online Citizen that they had informed MLCB and CBS about the data compromise on 28 June 2024.
The leaked reports contain detailed personal and financial information, including:
- Borrower’s personal information, such as name, ID number, or Unique Entity Number (UEN).
- Loan information, including loan type, tenure, principal loan amount, and total amount payable to the legal money lender.
- Payment and repayment status, listing all outstanding loans and the repayment history of each loan.
- Loan guarantor’s status, reflecting the guarantor or surety’s legal responsibility for any unpaid loans.
Gutzy Asia has reviewed the leaked data and confirmed its authenticity. It is unknown what period the files cover. According to the leaked files, the data goes back to 2021.
The exposed data could potentially lead to identity theft, fraud, harassment, and other financial crimes, putting affected individuals at substantial risk.
Gutzy has written to the agencies to verify the hack but has not received any confirmation or denial from them as of the time of publishing this article.
If the hack has indeed occurred, it is unknown what immediate actions have been taken to mitigate the damage to those whose data has been leaked and enhance data protection protocols.
In what seems to be a post-event preventive measure, both MLCB and CBS have restricted access to their websites from foreign IP addresses, blocking features for users accessing from outside Singapore.
This article was first published on Gutzy Asia.
