facebookData Breaches in Singapore and How Consumers Pay the Price


190922 compromised-data-breaches-singapore

Data Breaches in Singapore and How Consumers Pay the Price

profileJoel Koh

If you have been following the news lately.

You might have seen numerous reports of data breaches, where malicious actors steal a company/organisation’s customer data for their ends.

Just a few days ago, The Straits Times reported that about 330,000 Starbucks Singapore customers’ data was leaked and sold online for just $3,500.

Also, who can forget MyRepublic, who were ordered to pay a small $60,000 fine for failing to safeguard the personal data of about 79,388 Singaporeans and Permanent Residents (PRs).

More egregiously for the MyRepublic case, scanned copies of National Registration Identity Card (NRICs) and work pass cards were stolen.

Source: Giphy

But to be fair, MyRepublic and Starbucks are not the only black sheep, as numerous companies and organisations in Singapore have had their databases breached.

So much so that according to cyber security company Group-IB, Singapore is now ranked sixth in the world for having the most databases exposed to the internet that malicious actors could effortlessly hack and exploit.

The company’s study found that Singapore had 5,882 databases exposed in 2021, which is not surprising, to say the least.

As a consumer, you might think these companies and organisations are too lax with our data.

Here’s what you need to know about the whole data breach situation in Singapore, as well as tips on how to protect your data!

TL;DR: Data Leaks in Singapore and What You Can Do About It + Top 3 Data Breaches & More

Here is a non-exhaustive list of some of the notable data breaches in Singapore:

Company & SourceNumber of Consumers AffectedType of Data LeakedFine Amount Date of Data Leak
Integrated Health Information Systems (IHiS) & SingHealthÂč1.5 million patientsNames, IC numbers, addresses, gender, race & dates of birthS$1 million (IHiS S$750,000 + SingHealth S$250,000)Jun - Jul 2018
GrabÂČ21,541 drivers & passengersProfile pictures, names & vehicle plate numbersS$10,000Aug 2019
ST LogisticsÂł2,400 Mindef & SAF personnelFull names and NRIC numbers & a combination of contact numbers, email addresses or residential addressesS$8,000Dec 2019
HMI Institute of Health SciencesÂł110,080 customers (SAF servicemen, HMI staff etc.)Full names, NRIC numbers, dates of birth, home addresses & email addressesS$35,000
RedDoorz⁎5.9 million customer recordsNames, contact numbers, email address, date of birth, hashed passwords & their booking informationS$74,000Sep 2020
GeniusU⁔1.2 million users' personal dataFirst and last names, e-mail addresses, location information and last sign-in IP addressesS$35,000Jan 2021
MyRepublic⁶79,388 usersScanned copies of both sides of NRICs, workpasses & proof of residential addressesS$60,000Aug 2021

Click to Teleport

What Is a Data Breach? What is Considered a Data Breach?

Put simply, a data breach occurs when any data is removed or stolen from the system without the system owner knowing or authorising it.

Back to top

Personal Data Protection Commission (PPDC) Explained

In Singapore, any matters surrounding data breaches are governed by the Personal Data Protection Commission (PPDC) which ‘serves as Singapore’s main authority in matters relating to personal data protection and represents the Singapore Government internationally on data protection related issues.’

Back to top

Cyber Breach Costs: Exploring the Cost of Data Breaches in Singapore

So if you look at the table above, you would have noticed that except for the fine imposed on SingHealth and IHiS by the Personal Data Protection Commission (PDPC) the fines are paltry compared to these companies and organisations with their millions in revenue as seen in their annual reports.

In other words, if the penalty for data breaches is just a fine, it becomes a business expense for these companies and organisations.

But that’s just on the surface.

According to the latest IBM Cost of a Data Breach Report 2022, data breaches cost much more than just the fines.

To produce the report, the company surveyed 550 businesses across 17 countries (including Singapore) affected by data breaches and found that the cost of data breaches is soaring.

This report surveyed ASEAN businesses in Singapore, Malaysia, Indonesia, Thailand, the Philippines, and Vietnam. IBM found that in these six ASEAN countries, the average cost of these data breaches for businesses was US$2.87 million (S$4.04 million) in 2022.

Source: Austin Powers | Giphy.com

What’s more, damming for consumers was that six out of 10 of these surveyed organisations raised the prices of their goods and services after they suffered a data breach. In other words, these organisations are passing on the cost of a data breach to their consumers.

Not to mention that on a personal level, data breaches are bad for individuals as cybercriminals can use the personally identifiable information stolen from data breaches and conduct financial fraud and scams. As such, victims have to live with the threat of financial losses hanging over their heads or may have their personal safety compromised as well.

Back to top

What Can Consumers Do To Protect Against a Personal Data (PPDA) Breach or Cyber Breach

To be frank, there is very little consumers can do to protect their personal data once they have entrusted their data over to companies and organisations.

This is the trade-off you have to accept when handing over this data. So do be careful and weigh if the services provided for the data are worth your security risk.

However, there are things you should do if you find out that you are a data breach victim.

The Cyber Security Agency of Singapore (CSA) recommends that you enact the following measures:

Cybersecurity Measures for Individuals to Manage Devices and Online Presence

  • Change your passwords regularly and change them immediately if your account could have been affected by a reported data breach. Use a strong password of at least 12 characters, including upper case, lower case, numbers and/or special characters.
  • Avoid using the same password for different accounts.
  • Enable two-factor authentication (2FA), where available.
  • Ensure that antivirus software is installed on your device and update it regularly.
  • Perform antivirus scans regularly to remove any known malware on your device.
  • Enable password protection on data storage devices and lock them up when not in use.
  • Limit access to social media accounts. Also, limit sharing of personal information online as threat actors commonly look for and use such personal information to carry out targeted phishing. Review your account privacy settings and permissions, and adjust your privacy settings as appropriate.
  • Turn on login alerts, if available. The platform should send you an alert when someone logs into your account from an unrecognised device or browser. Review any unrecognised login sessions immediately for unusual account activities, such as the setting of email forwarding rules to unknown accounts.
  • Always be wary of suspicious emails and verify before clicking any links or downloading any attachments, especially if the email comes from an unfamiliar sender.
  • Verify a link in an email/SMS by checking the site’s domain name, as it is an indicator of whether the site is legitimate. Users can hover their mouse over the link to ensure that they are being directed to the URL stated.
  • Avoid using public Wi-Fi when accessing bank accounts and logging in to websites that require sensitive personal information, such as banking details and login details, as others may spy on the public network and intercept it.

When Performing Online Transactions

  • Avoid using public Wi-Fi when accessing bank accounts and logging in to websites that require sensitive personal information, such as banking details and login details, as others may spy on the public network and intercept it.
  • Consider designating a single credit card for all online purchases and closely monitor transaction alerts via SMS or email. Individuals may also customise a daily transaction limit to prevent large transactions from occurring if your account were to be compromised.
  • Ensure that the website supports a secure payment service. You can verify that the website is legitimate and trustworthy by checking the Secure Sockets Layer (SSL) certificate through the lock icon on your browser’s URL bar. This SSL certificate also enables encryption on the website through Hypertext Transfer Protocol Secure (HTTPS). Users should avoid websites that do not support HTTPS.

In addition, CSA has stated that you may ‘check if their email account details have been leaked in a past data breach by visiting ‘have I been pwned’ (HIBP). Email addresses flagged by the HIBP webpage were exposed during a prior online platform data breach, where the email address was used as a login credential. Although it may not mean that the email account has been compromised, individuals should consider changing to a strong password and enabling 2FA on the account.’

Back to top

Report PPDA Breach Singapore

In addition, if you have any concerns about data breaches in Singapore, you may head over to this link.

Source: PPDC

That being said, more is being done on a policy level to protect the data of people in Singapore.

Back to top

Upcoming Increase in Financial Penalties for PDPA Breaches

On 4 March 2022, the Minister for Communications and Information and Minister-in-Charge of Cybersecurity, Josephine Teo, announced that the Government will increase the maximum financial penalties for data breaches by companies as stipulated under the 2020 amendments to the Personal Data Protection Act 2012 (PPDA).

Before these changes, the maximum amount a company/organisation could be charged for a breach of the provisions of the PPDA was only S$1 million.

But from 1 October 2022, the maximum financial penalty for companies/organisations breaching the PPDA will be increased to:

  • S$1 million
  • OR up to 10 per cent of a company/organisation’s local annual turnover for companies/organisations with a yearly turnover of more than S$10 million,
    whichever is higher.

This is a massive fine for companies as losing 10 per cent of their turnover can be the difference between a loss-making year or a profitable year.

And you can bet that companies will be motivated to take data security much more seriously as a result.

Back to top

Related Articles


About Joel Koh
History student turned writer at Seedly. Before you ask, not a teacher. I hope to help people make better financial decisions and not let money control them.
You can contribute your thoughts like Joel Koh here.

đŸ”„ What's Popular

    • Loading articles
    • Loading articles
    • Loading articles
    • Loading articles
    • Loading articles
    • Loading articles
Stay updated with the latest finance tips!
Receive bite-sized finance on Telegram here.

💬 Comments (0)

What are your thoughts?

No comments yet.
Be the first to share your thoughts!

đŸ”„ What's Popular

    • Loading articles
    • Loading articles
    • Loading articles
    • Loading articles
    • Loading articles
    • Loading articles

Join our Community!

Discuss your thoughts with like-minded members in these community groups!

Stay updated with the latest finance tips!
Receive bite-sized finance on Telegram here.