Singapore government web site breached

June 7, 2014 |

Singapore’s data protection laws are far from comprehensive. Even Singapore’s Personal Data Protection Act, which takes effect on 2 July 2014, will  provide inadequate regulation.  While it regulates the collection, use, disclosure and care of personal data government bodies are exempt from its operation.  There is no good public policy reason for such a carve out of privacy regulation.  It is completely anomolous given the amount and sensitivity of personal information government agencies would hold about the Singaporean populace.  That the populace must provide the Government.  This can be partly, if not mainly, explained by the fact that scrutiny of government departments of the city state is minimal on any objective view.

Today reports in in 1,560 SingPass user accounts breached and Business Times in IDA reports breach of SingPass accounts that more than 1,500 accounts on a Singapore government database may have been accessed without their users’ consent.  SingPass users became aware of the interference when they received a SingPass password reset notification letter even they had not requested a password reset. Such letters normally only arrive after a user has reset their password.

SingPass or Singapore Personal Access has an alphanumeric password which residents can create as a common password with which to access 340 government online services from 64 government agencies (see The Straits Times newspaper article). The government response was to state that “no evidence to suggest that the SingPass system has been compromised” and recommend that residents affected visit the GoSafe Online website at The fact that Singpass does not have two factor authentication is a significant defect.  Government sites are just as likely to be of interest to hackers as those of business, more so in some regards.  That is particularly so with government portals which allow for full access across a government network.
This is a salient lesson for the Australian MyGov network. If governments of whatever persuasion want to have individuals transfer their dealings with government to an on line space the security needs to be optimal.  That means not just adequate firewalls, internet security architecture but a suitably sophisticated password authentication process and protocols.


One Response to “Singapore government web site breached”

  1. Singapore government web site breached | Australian Law Blogs

    […] Singapore government web site breached […]

Leave a Reply