AGO flags security lapses in Ministry of Manpower’s management of privileged IT account
The Auditor-General’s Office (AGO) has identified lapses in the Ministry of Manpower’s (MOM) management of its most privileged operating system account, raising concerns about potential risks to the security and availability of the employment pass system servers.
- AGO audit found inappropriate access rights in MOM’s employment pass system between April 2024 and March 2025.
- 24 staff and vendors could change passwords, including for the root account, breaching system safeguards.
- MOM has corrected the lapses, tightened controls, and enhanced reviews of privileged activities.
The Auditor-General’s Office (AGO) has found weaknesses in the Ministry of Manpower’s (MOM) management of a highly privileged operating system account, warning that the lapses could have affected the security of the ministry’s employment pass system.
According to AGO’s Financial Year 2024/25 report released on 9 September 2025, the audit covered MOM’s Work Pass Integrated System–Employment Pass (WINS-EP) between April 2024 and March 2025.
The review highlighted several instances where internal procedures and security safeguards were not properly followed, potentially exposing the servers to unauthorised access.
AGO said that a command granted to system administrators through UNIX OS security software was configured inappropriately.
The command allowed 24 MOM and vendor IT staff to change the password of any account, including the “root” account—the most powerful user account in the system.
This capability, AGO said, posed a security risk as it could have given individuals unrestricted control over all three WINS-EP servers, undermining MOM’s internal security layers.
MOM has since corrected the configurations and updated its internal procedures to prevent such access.
The ministry also confirmed that there was no evidence of unauthorised password changes or misuse of the “root” account.
AGO’s audit further discovered that in two of the three WINS-EP servers, remote access to the “root” account was permitted, contrary to MOM’s own security guide.
The policy mandates that “root” logins should be performed only through the physical server console to minimise exposure to potential external exploits.
MOM attributed this to staff oversight and has since restricted all “root” logins to the console.
Independent reviews are now required before any security setting can be altered.
The report also noted that the “root” account had been used for non-emergency tasks between March and October 2024.
These included actions such as deleting user accounts and directories—activities that MOM’s internal policy specifies should not be performed using the “root” account except in emergencies.
Additionally, AGO found that the “root” password was not changed after each use, despite existing rules requiring immediate password renewal following any login.
The audit identified between three and six instances where the same password had been reused across multiple sessions.
MOM told AGO that the actions were neither malicious nor had they compromised the system’s security.
A ministry-wide briefing was held in March 2025 to reinforce adherence to security protocols, reminding staff that “root” access should be reserved for emergencies and that passwords must be changed immediately after use.
AGO also flagged shortcomings in MOM’s review of privileged activities.
Between June and October 2024, MOM reviewed only one type of privileged activity, even though its standard operating procedures required comprehensive checks across multiple categories.
This meant that certain activities—such as editing system files and escalating user privileges—were not independently reviewed during that period.
Such gaps, AGO said, reduced the ministry’s ability to detect possible unauthorised access or misuse of administrative powers.
In response, MOM has expanded its review process to cover all relevant categories of privileged activities.
The ministry also stated that it is introducing stronger oversight mechanisms and ensuring that any changes to access permissions are independently verified.
Cybersecurity experts note that the findings underscore the importance of rigorous access controls in government IT systems.
They add that the “root” account, often described as the digital equivalent of a master key, must be tightly guarded as it grants complete control over servers and data.
Auditors have repeatedly stressed that even in the absence of direct breaches, lax procedures around privileged access create significant risks.
AGO’s report recommended that ministries adopt stronger segregation of duties and regular audits of administrator actions to maintain accountability.
This is the latest in a series of AGO findings highlighting the need for improved IT governance and security discipline within public sector systems.
In its statement following the release of the report, MOM reaffirmed its commitment to maintaining high cybersecurity standards.
It said all recommendations had been accepted and fully implemented, adding that no data breaches or unauthorised activities had occurred.
The ministry added that periodic security reviews would continue to ensure that compliance with IT governance standards remains consistent.
While AGO found that MOM’s corrective measures were satisfactory, it emphasised that long-term vigilance is essential to prevent recurrence.
