Singapore government data security breach raises question of whether government should be exempt from new data protection rules

Out-Law News | 06 Jun 2014 | 9:45 am | 2 min. read

News that more than 1,500 accounts on a Singapore government database may have been accessed without their users' consent is likely to reignite public debate on whether the Singapore government should be exempt from forthcoming data protection rules, a legal expert has said.

Singapore's Infocomm Development Authority (IDA) has learned that a number of SingPass users received a SingPass password reset notification letter, although they had not requested a password reset. Such letters normally only arrive after a user has reset their password.

Preliminary investigations by the IDA found that 1,560 users' identities and passwords had potentially been accessed without the users' permission, the government said.

SingPass is also known as Singapore Personal Access, and is an alphanumeric password which Singapore residents can create as a common password with which to access various government online services. A total of 64 government agencies currently use SingPass to allow users to access more than 340 e-services, according to The Straits Times newspaper.

News of the breach comes just weeks before Singapore's Personal Data Protection Act comes into effect on 2 July, which sets out rules governing the collection, use, disclosure and care of personal data. Government bodies are exempt from the PDPA, a matter which has been the subject of some public debate.

Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said: "The incident re-emphasises that government services are not immune to these scenarios, especially where the government has promoted e-government services, so a lot is riding on the fact that these systems are like the proverbial 'keys to the kingdom'. It will also re-ignite the debate on whether the government's exemption from the PDPA is appropriate."

The IDA told a press conference that it was alerted to the apparent breach by its contractor, locally-based CrimsonLogic.  A police report has been lodged and the matter is under investigation.

"Based on IDA’s checks, there is no evidence to suggest that the SingPass system has been compromised," said a government statement."The passwords of all affected users have been reset and we are in the process of notifying them of this incident."

"Singapore government takes cyber security very seriously. The protection of personal data and the delivery of secure e-services are critical. We will continue to strengthen all government e-services as part of on-going efforts to enhance security," the statement said.

Jacqueline Poh, managing director of the IDA, said: "For every individual this incident underlines the importance of taking personal responsibility for cyber security. The government strongly urges all SingPass users to take the necessary precautions to enhance their cyber security."

Poh said users should ensure that they use strong passwords to access SingPass and all other e-services to which they subscribe.

"Strong passwords contain a combination of numerical figures, capital letters, and are at least eight characters long," said Poh. "Users should also install anti-virus software and update all their software regularly."

The government statement advised consumers to visit the GoSafe Online website at www.gosafeonline.sg in order to learn more about how to protect themselves against cyber threats and how to seek assistance.