The Council for Estate Agencies (CEA) has confirmed a data leak involving the names and NRIC numbers of 3,320 individuals. The incident occurred on 21 January 2025 due to a “technical issue” in its IT system, according to the statutory board’s statement on 26 January.
The disclosure affected individuals who had registered for the March 2024 Real Estate Salesperson or April 2024 Real Estate Agency examinations.
CEA clarified in response to media queries that no contact details, such as phone numbers or email addresses, were exposed during the incident.
CEA discovered the breach on 22 January at 11.21 am and acted immediately to contain the issue. The data had been sent to 18 unintended recipients, comprising property agents, former property agents, and previous examination candidates. The agency confirmed that these recipients have since deleted the email and its contents without forwarding or using the information.
In response to the breach, CEA disabled the affected system function and initiated a full investigation. Preliminary findings indicate that the data leak was an isolated incident. The agency has since secured the compromised system and taken recovery measures to prevent further risks.
“We take data privacy seriously and sincerely apologise for this lapse,” the agency stated. “We are committed to strengthening our internal processes to ensure the safeguard of privacy and security of data entrusted to us.”
CEA has also written to all affected individuals, informing them of the breach and its follow-up actions. The agency urged anyone who suspects misuse of their personal data to contact them immediately. It also emphasised its commitment to acting firmly against any attempts at data misuse or impersonation.
As part of its response, CEA is working closely with its IT vendor to review and enhance its systems and processes to avoid a recurrence.
The agency has assured the public that it remains committed to protecting personal data and will take all necessary steps to uphold this responsibility. The incident highlights the importance of robust data security practices, particularly in organisations handling sensitive information.
This development underscores the need for continued vigilance in safeguarding personal data and addressing vulnerabilities in IT systems.
