As the world becomes increasingly digitised, cyber attacks have become a major concern for individuals and organisations alike. 1 in 3 Singaporean organisations have experienced a data breach, resulting in losses of up to $1.3 million. With the rise of cybercrime and the potential consequences of a data breach, it is crucial for businesses to take proactive steps to protect themselves and their customers from the different types of cyber attacks.

In this article, we will explore 10 major recent data breaches in Singapore news so you can use them as case studies to learn how these data breaches happened and how to prevent them.


What are Data Breaches?

Data breaches are incidents when sensitive or confidential information gets leaked or accessed by an unauthorised individual or group. This information typically consists of personal data such as names, addresses and identification numbers. In more serious cases, it can also include login credentials and even financial data such as credit card or bank account numbers.

Data breaches can occur due to a variety of reasons, including human error, system vulnerabilities, or malicious attacks by hackers. In recent years, data breaches have become a major concern for businesses as they can result in significant financial losses, damage to reputation, and even legal consequences.


What is the Personal Data Protection Commission (PDPC)?

The Personal Data Protection Commission (PDPC) is a statutory body in Singapore that is responsible for enforcing the Personal Data Protection Act (PDPA). The PDPC oversees personal data protection in Singapore and ensures responsible and ethical data practices. Businesses must report a data breach to the PDPC, and the statutory body has the power to investigate and enact punishments for any data breaches.


SingHealth logo

#1 SingHealth Data Breach

In 2018, SingHealth was hit by a cyber attack resulting in the theft of personal data from 1.5 million SingHealth patients. Taking place between 27 June and 4 July 2018, the attackers targeted SingHealth’s database containing patient records such as names, addresses and NRICs. They also obtained outpatient medication prescription records, most notably the prescriptions for Prime Minister Lee Hsien Loong.

In response, Singapore’s Smart Nation Plans were paused and a Committee of Inquiry (COI) was formed to conduct an external review of the data breach incident. Their investigations found that a SingHealth front-end workstation was infected with malware that enabled the hackers to access the database.

News Article: Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore’s worst cyber attack
Date of breach: Jun – Jul 2018
No of victims: 1.5 million
Causes of breach: Lapses by employees and malware in front-end workstation
Consequence of breach: Integrated Health Information Systems (IHiS) and SingHealth fined $750,000 and $250,000 respectively by PDPC


Singtel logo

#2 Singtel Data Breach

Personal information of 130,000 customers was stolen after Singtel’s third-party internal file sharing system Accellion was attacked by hackers. The stolen data included names, billing addresses, mobile numbers, dates of birth and NRIC numbers.

The breach was caused by a cyber attack exploiting an unknown vulnerability in the system. Once Singtel confirmed the breach, they appointed a global data and information service to provide identity monitoring services for affected customers.

News Article: Nearly 130,000 Singtel customers’ personal information, including NRIC details, stolen in data breach
Date of breach: 17 Feb 2021
No of victims: 130,000
Causes of breach: Third-party file system hacked
Consequence of breach: 6 months of complimentary identity theft protection and credit monitoring service for all affected customers


Ninjavan logo

#3 Ninja Logistics Data Breach

In 2020, Singaporean logistics companies, Ninja Van and Ninja Logistics, were found to have breached the Personal Data Protection Act (PDPA) by failing to implement reasonable security measures to protect the personal data of their customers. As a result, the Personal Data Protection Commission (PDPC) imposed a fine of $90,000 on the companies. The data breach occurred when a customer service officer accidentally attached an unencrypted file containing the personal data of 1,146 individuals in an email. The data breach incident highlights the importance of implementing robust data protection measures and conducting regular training and audits to ensure compliance with the PDPA.

News Article: Ninja Van fined $90,000 for data breaches
Date of breach: 2016 to 2018
No of ppl affected: 1.26 million
Causes of breach: Failed to implement tracking code expiry
Consequence of breach: Fined $90,000 by PDPC


Starhub logo

#4 StarHub Data Leak

In a routine security check, StarHub’s cybersecurity team discovered an illegally uploaded file containing the personal data of its customers on a third-party data dump website. The file contained more than 57,000 StarHub customers’ names, addresses and mobile phone numbers.

Although there were no further details on what caused the leak or how the document was uploaded onto a third-party website, this data breach incident highlighted the need for routine cybersecurity monitoring. In response to the leak, StarHub offered free identity theft protection and credit monitoring services for all its affected customers.

News Article: More than 57,000 StarHub customers’ personal data leaked
Date of breach: 6 July 2021
No of victims: 57,191
Causes of breach: Unknown
Consequence of breach: 6 months of complimentary identity theft protection and credit monitoring service for all affected customers


Sephora logo

#5 Sephora Data Breach

In 2019, Sephora announced that the personal data of its customers had been breached, exposing customers’ names, email addresses, and passwords to unauthorised third parties. The data breach was associated with a database serving Southeast Asia, Hong Kong, Australian and New Zealand customers who used the company’s online services. While it was not known how many customers were affected by the breach, Sephora engaged experts to investigate the data breach incident, conducted a review of its security systems and offered free personal data monitoring services for its customers.

News Article: Sephora customers’ data breached, names, e-mail addresses and passwords exposed
Date of breach: 29 July 2019
No of victims: Not specified
Causes of breach: Unknown
Consequence of breach: Reset existing passwords for all customer accounts and offered free personal data monitoring services to all customers


ST Logistics logo

#6 ST Logistics and HMI Institute of Health Sciences Data Breach

Following two data breach incidents in 2019, the personal data of thousands of personnel from the Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF) were leaked. Both breaches were caused by malware on third-party vendor systems from ST Logistics and the HMI Institute of Health Sciences respectively. The data affected included names, NRIC numbers, residential addresses, email addresses and telephone numbers.

For ST Logistics, some of their employees fell for a phishing attack involving malicious malware sent to email accounts, while HMI Institute discovered that their file server containing the names and NRIC numbers of SAF servicemen was encrypted by ransomware.

News Article: 2 firms fined S$43,000 in total over personal data breaches affecting Mindef
Date of breach: October 2019 (ST Logistics), Dec 2019 (HMI Institute)
No of victims: 2,400 (ST Logistics), 98,000 (HMI Institute)
Causes of breach: Phishing attack (ST Logistics), Ransomware (HMI Institute)
Consequence of breach: Fined $8,000 (ST Logistics) and $35,000 (HMI Institute) by the PDPC


#7 HIV Registry Data Breach

The personal data of 14,200 Singaporean patients with HIV were leaked online when American fraudster Mikhy Farrera-Brochez gained access to the data through his partner Ler Teck Siang. The latter was a Singaporean doctor who was head of the Ministry of Health’s (MOH) National Public Health Unit and had access to the HIV Registry for this work.

The confidential data included patients’ names, NRIC numbers, contact details and medical information. Farrera-Brochez leaked the data online once he was deported from Singapore in 2018 along with threats to release more data. Singaporean authorities worked with foreign law enforcement to apprehend Ferrera-Brochez, and he was eventually found guilty and sentenced to a jail term of two-years. His partner Ler was also sentenced to 2 years jail for abetting Ferrera-Brochez and providing false information to the police and MOH.

This data breach incident highlights the risks associated with authorised personnel when sensitive information is involved, and the importance of education to ensure that personnel are aware of the responsibility and potential penalties when handling confidential data.

News Article: Data of 14,200 people with HIV leaked online by US fraudster
Date of breach: 22 Jan 2019
No of victims: 14,200
Causes of breach: Third-party access to confidential data through authorised personnel
Consequence of breach: 2 years jail for perpetrators


RedDoorz logo

#8 RedDoorz Data Breach

In what is widely regarded as the largest data breach in Singapore’s history, the personal data of over 5.9 million customers were stolen from hotel booking site RedDoorz. The leaked data included customers’ names, contact details, account passwords and booking details of the platform’s customers, most of which were from South-east Asia. The data was reportedly put up for sale on a hacker forum before it was taken down.

RedDoorz’s website operator, Commeasure, found out about the breach after an American cyber-security firm alerted the company. In preliminary investigations, it was found that hackers likely accessed RedDoorz’s database hosted on Amazon cloud after obtaining an Amazon Web Services access key. The key was embedded in Android application package (APK) created by Commeasure in 2015 and publicly available for download from the Google Play store, despite Amazon Web Service’s advice not to embed access keys directly into code.

Commeasure wrongly also labeled the access key in the APK as a “test key” and the APK was eventually regarded as defunct by the company, however, the app could still be downloaded from Google Play. Since the APK was considered defunct, it was left out when Commeasure engaged a cyber-security company to conduct a security review and tests from September to December 2019. At the same time, a security tool that could have prevented the hackers from getting the access key was also not used on the APK since it was considered defunct.

Concluding its investigations, the PDPC stated that had the company examined this APK or the access key, the data breach could have been prevented. Further stating that Commeasure’s negligence to include the APK in its inventory of IT assets led to the key being missed despite periodic security reviews. As a result of the data breach, Commeasure was fined $74,000 and had to inform affected customers to change their account passwords as a precaution.

News Article: Data of 5.9m customers of RedDoorz hotel booking site leaked
Date of breach: Sep 2020
No of victims: 5.9 million
Causes of breach: Hackers accessed a company database key stored in the APK of a defunct app that could still be downloaded from Google Play store
Consequence of breach: Local website operator Commeasure fined $74,000 by the PDPC


Grab logo

#9 Grab Data Breach

In 2021, Grab was involved in its fourth data privacy breach in two years. The data breach incident involved a software update that inadvertently caused a vulnerability in the Grab passenger app that allowed unauthorised access to personal data, exposing profile pictures, vehicle plate numbers, names and phone numbers of passengers and drivers as well as pick up and drop off location and times.

Once the breach was discovered, Grab rolled back the app to the version prior to the update, notified its affected drivers and reported the incident to the PDPC. To prevent recurrence, the company introduced more robust processes in its IT environment testing, along with updated governance procedures and a review of its legacy application and source codes. However, due to a history of multiple lapses and given that Grab’s business involves processing large volumes of personal data, the PDPC meted out a fine of $10,000.

News Article: Grab fined $10,000 for fourth data privacy breach in S’pore in two years
Date of breach: Aug 2019
No of victims: 21,541
Causes of breach: Patch vulnerability
Consequence of breach: Fined $10,000 by the PDPC


MyRepublic logo

#10 MyRepublic Data Breach

In 2021, MyRepublic reported a data breach that affected 79,388 mobile subscribers, in which an unauthorised party had gained access to customer data, including names, NRIC numbers, and mobile numbers. MyRepublic stated that the data breach incident took place on a third-party data storage platform used to store the personal data of its mobile customers.

Although there was no indication that any other personal data such as account or payment information was affected, and there was no evidence that any personal data was misused, the PDPC launched an investigation and fined the company $60,000.

As a result of the breach, MyRepublic contacted customers who were affected to provide them with a complimentary credit monitoring service through Credit Bureau Singapore.

News Article: Personal information of nearly 80,000 MyRepublic customers accessed after data storage breach
Date of breach: Aug 2021
No of victims: 79,388
Causes of breach: Unauthorised data access on third-party data storage platform
Consequence of breach: Fined $60,000 by the PDPC


Protect Yourself and Your Business From Cyber Threats

Cyber attacks and data breaches in Singapore are not new and are in fact becoming a regular occurrence in recent years. With the increased integration of technology into our personal and professional lives, cyber threats will only continue to grow in complexity and frequency. There is a pressing need for both individuals and organisations to take cybersecurity seriously to protect company data, their customers’ data and adhere to compliance requirements in order to avoid punishments like hefty fines.

FirstCom Academy’s comprehensive cybersecurity course covers topics such as risk management, identifying potential threats, and implementing appropriate safeguards to ensure your organisation has the appropriate cybersecurity policies in place. Our course is designed to provide individuals and businesses with the skills and knowledge needed to protect sensitive data, maintain customer trust, and ensure long-term success.

Benefits of the course include improved earning potential and employability for individuals, while businesses can benefit from increased customer trust and loyalty, as well as proactively mitigating potential cybersecurity threats.

Don’t wait until a data breach happens – be proactive and learn how to mitigate cybersecurity risks. Take the first step in protecting yourself or your business by enrolling in FirstCom Academy’s cybersecurity course today!


Read more: