The email addresses and phone numbers of as many as 4,000 people from a data file on the Singapore Art Museum's (SAM) website, was illegally published and uploaded to a New Zealand-based server.
The museum said it was alerted by the Infocomm Development Authority (IDA) on Nov 5 that individual records kept in a data file on SAM's website had been taken without its permission.
It immediately removed the data file and made a police report. IDA also notified the site administrator of the overseas website, who took the information down within two hours. Additional safeguards have since been put in place.
The data file contained the names, email addresses, phone numbers and, in some instances, nationalities, of about 4,000 individuals who had participated in the museum's events in 2011 and 2013.
SAM said it could not announce this earlier as the agencies needed time to verify and establish the extent of the incident. "The investigations are still ongoing, but we believe it is necessary to explain what happened as personal data had been compromised," said the museum in a statement.
It said it has also contacted all the affected individuals and apologised to them.
Dr Susie Lingham, SAM's director, said: "We take this matter very seriously...we are doing everything possible to track down how this happened and prevent any similar future compromise of personal data".