Largest data breach in Singapore to date

Largest data breach in Singapore IPHub Asia

Cyber transactions have increased immensely in recent years. In parallel, this has increased the risk of a data breach for users. Businesses commonly collect and store their customers’ personal data such as names, e-mail addresses, mobile phone numbers, credit card details, identification numbers and other personal details, which put that confidential and sensitive information at high risk of being exposed and stolen by hackers. Such stolen personal data may be sold on the dark web and used by unauthorized parties.

A data breach is difficult to avoid and it can happen due to a number of reasons, like malicious attacks (such as hacking and scamming), human error, computer system glitches, etc. To protect personal data in Singapore, the government has enacted the Personal Data Protection Act 2012 (PDPA), which regulates the collection, use, disclosure and care of personal data. Furthermore, the Personal Data Protection Commission (PDPC) was established in 2013 to promote and enforce personal data protection. 

Despite putting in place various preventive measures, and Singapore’s reputation as one of the safest countries in the world, it is not immune to a data breach. In fact, multiple major data breaches have occurred in the past years:

2013Hackers naming themselves ‘Anonymous’ attacked the webpage of the People’s Action Party (PAP), a political party in Singapore, and leaked government employees’ personal information.
About 1500 SingPass accounts were accessed by third parties by fraudulently requesting SingPass holders to reset their passwords.
2014Personal information of 317,000 customers was exposed in the data breach involving karaoke chain K Box Entertainment Group, including names, contact numbers and residential addresses.
2016Personal information of 380,000 users was exposed when Uber was hacked. The exposed information included names, e-mail addresses and mobile phone numbers of the users.
2017In the worldwide cyberattack of the WannaCry ransomware, hackers encrypted files in computers running on the Microsoft Office operating system and prevented users from accessing it. The hackers then demanded a payment in Bitcoin to release the decrypted data. This attack affected about 500 IP addresses in Singapore.
2018It was reported that the personal data of 1.5 million healthcare patients was exposed when hackers attacked and gained access to SingHealth’s database, making this the largest data breach reported in Singapore. Non-medical personal details of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics between 1st May 2015 and 4th July 2018, such as name, national identification number, address, gender, race, and date of birth, had been accessed and copied. In addition, the medical data of about 160,000 patients was compromised. The hackers appear to have gained access to the data by compromising a SingHealth workstation with malware, after which they were able to access the patient database. The breach was first noticed on 4th July 2018. Due to this data breach, the Personal Data Protection Commission (“PDPC”) subsequently imposed a penalty of SGD 1 million in total against SingHealth and their data intermediary, Integrated Health Information Systems Pte Ltd (IHiS).
2019The personal information of more than 800,000 blood-donors was leaked online due to a loophole in the system of the Health Sciences Authority (HSA).
2019Personal data of about 2,400 Ministry of Defence and Singapore Armed Forces personnel was leaked due to email phishing activities involving malicious malware. In addition, the data of 120,000 individuals was found to be affected by ransomware in early December 2019. The data was stored in a server of a vendor that provided healthcare training to the Singapore Armed Forces.
2019Usernames and passwords of accounts related to the Ministry of Health, Ministry of Education, Singapore Police and the National University of Singapore, as well as the details of more than 19,000 compromised payment cards from banks, were stolen and sold on the dark web by hackers. Among the leaked email addresses, around 50,000 of them were government e-mail addresses. However, about 50,000 of the leaked email addresses were either outdated or bogus addresses, except for 119 of them which are still being used. Meanwhile, the payment cards’ information was valued at more than $600,000. It was reported that the above information was not leaked from the government systems, but due to the use of the login information for personal online sign-ups, like marketing promotions.

How to mitigate the risk of personal data being stolen

Unfortunately, users cannot know that their identity has been stolen until the damage has been done. This being said, there are a few steps we can take to minimize the risk of personal data being stolen:

–          Being more vigilant and cautious in protecting our online identities

This includes learning about the sites’ privacy policies before submitting our sensitive information and being more cautious when granting access to our social media account towards third party providers, such as games, quizzes, etc.

–          Creating unique user names and strong passwords

Create a strong password that is between 15-20 characters long, contains a mix of upper and lowercase letters, and includes numbers or symbols. Such passwords are hard to guess and this is always recommended as the first protection for your online accounts.

–          Keeping our security software, applications and operating systems up to date Hackers can access devices with outdated systems more easily. Hence, it is important to ensure that our anti-virus software, operating systems and applications are always up to date.

–          Being more cautious of what we post on social media and checking social media privacy settings

Social media is a great way to connect with friends and family in this global world. However, there are numerous reports that social media has been used to collect a huge amount of data about its users, either for identity theft or home burglary. Thus, it is always a good idea to check the sites’ policies and terms of use.

–          Avoiding using public Wi-Fi, if possible

Public Wi-Fi connections are very useful to keep us connected in this smartphone and Internet era. However, unsecured Wi-Fi networks can be used to spread malware, which grants access to the user’s device, including all information stored therein.

At IPHub Asia, we understand the value of your data and we can help you obtain protection for what is registrable. Do get in touch for more details or visit our website to know more about our services.

Inge is an Indonesian native and is fluent in English and Indonesian. She was born and raised in Jakarta, Indonesia, and she lived in Singapore for several years before moving to Los Angeles, where she currently resides. Travelling and hiking are two of her favorite holiday activities. She also enjoys trying out different kinds of cuisines and experimenting with new recipes in her free time.

Related Posts



We are here to guide you through the trademark application process.

Click below to chat on WhatsApp and get the ball rolling.

× How can we help you?