If you have been following the news lately.
You might have seen numerous reports of data breaches, where malicious actors steal a company/organisation’s customer data for their ends.
Just a few days ago, The Straits Times reported that about 330,000 Starbucks Singapore customers’ data was leaked and sold online for just $3,500.
Also, who can forget MyRepublic, who were ordered to pay a small $60,000 fine for failing to safeguard the personal data of about 79,388 Singaporeans and Permanent Residents (PRs).
More egregiously for the MyRepublic case, scanned copies of National Registration Identity Card (NRICs) and work pass cards were stolen.
But to be fair, MyRepublic and Starbucks are not the only black sheep, as numerous companies and organisations in Singapore have had their databases breached.
So much so that according to cyber security company Group-IB, Singapore is now ranked sixth in the world for having the most databases exposed to the internet that malicious actors could effortlessly hack and exploit.
The company’s study found that Singapore had 5,882 databases exposed in 2021, which is not surprising, to say the least.
As a consumer, you might think these companies and organisations are too lax with our data.
Here’s what you need to know about the whole data breach situation in Singapore, as well as tips on how to protect your data!
TL;DR: Data Leaks in Singapore and What You Can Do About It + Top 3 Data Breaches & More
Here is a non-exhaustive list of some of the notable data breaches in Singapore:
| Company & Source | Number of Consumers Affected | Type of Data Leaked | Fine Amount | Date of Data Leak |
|---|---|---|---|---|
| Integrated Health Information Systems (IHiS) & SingHealth¹ | 1.5 million patients | Names, IC numbers, addresses, gender, race & dates of birth | S$1 million (IHiS S$750,000 + SingHealth S$250,000) | Jun - Jul 2018 |
| Grab² | 21,541 drivers & passengers | Profile pictures, names & vehicle plate numbers | S$10,000 | Aug 2019 |
| ST Logistics³ | 2,400 Mindef & SAF personnel | Full names and NRIC numbers & a combination of contact numbers, email addresses or residential addresses | S$8,000 | Dec 2019 |
| HMI Institute of Health Sciences³ | 110,080 customers (SAF servicemen, HMI staff etc.) | Full names, NRIC numbers, dates of birth, home addresses & email addresses | S$35,000 | |
| RedDoorz⁴ | 5.9 million customer records | Names, contact numbers, email address, date of birth, hashed passwords & their booking information | S$74,000 | Sep 2020 |
| GeniusU⁵ | 1.2 million users' personal data | First and last names, e-mail addresses, location information and last sign-in IP addresses | S$35,000 | Jan 2021 |
| MyRepublic⁶ | 79,388 users | Scanned copies of both sides of NRICs, workpasses & proof of residential addresses | S$60,000 | Aug 2021 |
| Sources: ¹https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach ²https://www.straitstimes.com/tech/grab-fined-10000-for-fourth-data-privacy-breach-in-two-years ³https://www.todayonline.com/singapore/2-firms-fined-s43000-total-over-personal-data-breaches-affecting-mindef-saf-personnel ⁴https://www.businesstimes.com.sg/garage/data-breach-at-reddoorz-hit-6m-customers-hospitality-platform-fined-s74000 ⁵https://tnp.straitstimes.com/lifestyle/tech/edu-tech-firm-geniusu-fined-35000-data-leak-affecting-126m-users ⁶https://www.channelnewsasia.com/singapore/myrepublic-data-breach-nric-personal-information-2168531 |
||||
Click to Teleport
- What Is a Data Breach?
- Personal Data Protection Commission (PPDC) Explained
- Cyber Breach Costs: Exploring the Cost of Data Breaches in Singapore
- What Can Consumers Do To Protect Against a PPDA Breach or Cyber Breach
- Report PPDA Breach in Singapore
- Increase in Financial Penalties for PDPA Breaches
What Is a Data Breach? What is Considered a Data Breach?
Put simply, a data breach occurs when any data is removed or stolen from the system without the system owner knowing or authorising it.
Personal Data Protection Commission (PPDC) Explained
In Singapore, any matters surrounding data breaches are governed by the Personal Data Protection Commission (PPDC) which ‘serves as Singapore’s main authority in matters relating to personal data protection and represents the Singapore Government internationally on data protection related issues.’
Cyber Breach Costs: Exploring the Cost of Data Breaches in Singapore
So if you look at the table above, you would have noticed that except for the fine imposed on SingHealth and IHiS by the Personal Data Protection Commission (PDPC) the fines are paltry compared to these companies and organisations with their millions in revenue as seen in their annual reports.
In other words, if the penalty for data breaches is just a fine, it becomes a business expense for these companies and organisations.
But that’s just on the surface.
According to the latest IBM Cost of a Data Breach Report 2022, data breaches cost much more than just the fines.
To produce the report, the company surveyed 550 businesses across 17 countries (including Singapore) affected by data breaches and found that the cost of data breaches is soaring.
This report surveyed ASEAN businesses in Singapore, Malaysia, Indonesia, Thailand, the Philippines, and Vietnam. IBM found that in these six ASEAN countries, the average cost of these data breaches for businesses was US$2.87 million (S$4.04 million) in 2022.
What’s more, damming for consumers was that six out of 10 of these surveyed organisations raised the prices of their goods and services after they suffered a data breach. In other words, these organisations are passing on the cost of a data breach to their consumers.
Not to mention that on a personal level, data breaches are bad for individuals as cybercriminals can use the personally identifiable information stolen from data breaches and conduct financial fraud and scams. As such, victims have to live with the threat of financial losses hanging over their heads or may have their personal safety compromised as well.
What Can Consumers Do To Protect Against a Personal Data (PPDA) Breach or Cyber Breach
To be frank, there is very little consumers can do to protect their personal data once they have entrusted their data over to companies and organisations.
This is the trade-off you have to accept when handing over this data. So do be careful and weigh if the services provided for the data are worth your security risk.
However, there are things you should do if you find out that you are a data breach victim.
The Cyber Security Agency of Singapore (CSA) recommends that you enact the following measures:
Cybersecurity Measures for Individuals to Manage Devices and Online Presence
- Change your passwords regularly and change them immediately if your account could have been affected by a reported data breach. Use a strong password of at least 12 characters, including upper case, lower case, numbers and/or special characters.
- Avoid using the same password for different accounts.
- Enable two-factor authentication (2FA), where available.
- Ensure that antivirus software is installed on your device and update it regularly.
- Perform antivirus scans regularly to remove any known malware on your device.
- Enable password protection on data storage devices and lock them up when not in use.
- Limit access to social media accounts. Also, limit sharing of personal information online as threat actors commonly look for and use such personal information to carry out targeted phishing. Review your account privacy settings and permissions, and adjust your privacy settings as appropriate.
- Turn on login alerts, if available. The platform should send you an alert when someone logs into your account from an unrecognised device or browser. Review any unrecognised login sessions immediately for unusual account activities, such as the setting of email forwarding rules to unknown accounts.
- Always be wary of suspicious emails and verify before clicking any links or downloading any attachments, especially if the email comes from an unfamiliar sender.
- Verify a link in an email/SMS by checking the site’s domain name, as it is an indicator of whether the site is legitimate. Users can hover their mouse over the link to ensure that they are being directed to the URL stated.
- Avoid using public Wi-Fi when accessing bank accounts and logging in to websites that require sensitive personal information, such as banking details and login details, as others may spy on the public network and intercept it.
When Performing Online Transactions
- Avoid using public Wi-Fi when accessing bank accounts and logging in to websites that require sensitive personal information, such as banking details and login details, as others may spy on the public network and intercept it.
- Consider designating a single credit card for all online purchases and closely monitor transaction alerts via SMS or email. Individuals may also customise a daily transaction limit to prevent large transactions from occurring if your account were to be compromised.
- Ensure that the website supports a secure payment service. You can verify that the website is legitimate and trustworthy by checking the Secure Sockets Layer (SSL) certificate through the lock icon on your browser’s URL bar. This SSL certificate also enables encryption on the website through Hypertext Transfer Protocol Secure (HTTPS). Users should avoid websites that do not support HTTPS.
In addition, CSA has stated that you may ‘check if their email account details have been leaked in a past data breach by visiting ‘have I been pwned’ (HIBP). Email addresses flagged by the HIBP webpage were exposed during a prior online platform data breach, where the email address was used as a login credential. Although it may not mean that the email account has been compromised, individuals should consider changing to a strong password and enabling 2FA on the account.’
Report PPDA Breach Singapore
In addition, if you have any concerns about data breaches in Singapore, you may head over to this link.
That being said, more is being done on a policy level to protect the data of people in Singapore.
Upcoming Increase in Financial Penalties for PDPA Breaches
On 4 March 2022, the Minister for Communications and Information and Minister-in-Charge of Cybersecurity, Josephine Teo, announced that the Government will increase the maximum financial penalties for data breaches by companies as stipulated under the 2020 amendments to the Personal Data Protection Act 2012 (PPDA).
Before these changes, the maximum amount a company/organisation could be charged for a breach of the provisions of the PPDA was only S$1 million.
But from 1 October 2022, the maximum financial penalty for companies/organisations breaching the PPDA will be increased to:
- S$1 million
- OR up to 10 per cent of a company/organisation’s local annual turnover for companies/organisations with a yearly turnover of more than S$10 million,
whichever is higher.
This is a massive fine for companies as losing 10 per cent of their turnover can be the difference between a loss-making year or a profitable year.
And you can bet that companies will be motivated to take data security much more seriously as a result.
Related Articles
