The personal data of about 70,000 people in Singapore has been exposed after a government test system that was meant to contain anonymised data used real information instead.
The names, NRIC numbers and past property addresses of the affected individuals have been accessed by unauthorised users who found their way into the test system at the Singapore Land Authority (SLA).
In an announcement today, the government agency said investigations are underway after it was notified of the cybersecurity incident by IBM.
The American technology giant manages the cloud environment used for the development and testing of the Singapore Titles Automated Registration System (STARS) and eLodgment System (ELS).
The affected dataset was created as far back as 1998 and it was updated periodically over the years, according to the SLA.
It was intended to contain only mock and anonymised data based on property ownership and lodgement records. However, it was later found to contain the real information of an estimated 70,000 people.
It is unclear how the test system was exposed but IBM has revoked access to the affected testing environment to prevent any other unauthorised access. This is separate from SLA’s operational systems, which are not affected.
“There is no connection or compromise to the live systems used for operations of STARS, ELS or any other SLA systems,” the SLA said. “Property ownership and lodgement records in STARS and ELS remain secure and unaffected.”
Despite being a target for hackers, Singapore has largely kept out high-profile cybersecurity incidents since the personal data of 1.5 million people was stolen in 2018.
However, the complexity and fast deployments of today’s digital infrastructure make it difficult to continuously protect against many attacks.
Of late, hackers using AI tools have also been able to find vulnerabilities more quickly, possibly weaponing such loopholes within hours and even minutes before defenders can respond, Singapore’s Cyber Security Agency had warned this week.
Apologising for the concern and inconvenience caused by the latest incident, SLA says it has identified the individuals whose information was contained in the affected dataset.
It has also begun notifying them and advising them on how they can seek further information and assistance.
