SINGAPORE - The theft of the personal data of 1.5 million SingHealth patients has sparked worries of identity theft or fraudulent transactions, but there are "multiple safeguards" to prevent the stolen data from being misused.
The assurance was given by Minister for Communications and Information S. Iswaran in Parliament on Monday (Aug 6).
While he acknowledged the worries, he said: "I would like to emphasise that there are multiple safeguards in place to mitigate such risks, especially for financial transactions and sensitive government e-transactions."
Mr Iswaran, who is also Minister-in-charge of Cyber Security, elaborated on various security measures that are in place to mitigate such risks.
Financial institutions, like banks and insurance companies, do not rely on just personal information to verify customer identity, he said.
He said: "All banks and insurance companies in Singapore already have two-factor authentication (2FA) for online financial services, such as making fund transfers or accessing account details."
This refers to how account holders have to input their Personal Identification Number (PIN) and a one-time-password (OTP), which is received via SMS or a bank's authentication token.
Mr Iswaran said the OTP allows for an additional authentication layer known as "transaction signing", which protects higher-risk transactions such as adding a third-party payee or transferring large sums of money.
He added: "Unless the attacker has access to all authentication information, it would not be possible for fraudulent transactions or identity theft to occur."
All sensitive government electronic transactions have been protected by Singpass 2FA since July 2016, he added.
Mr Iswaran said individuals can also do their part by practising good personal data protection and cyber-security habits.
He said: "They should ensure that their passwords, user IDs and security questions are not based on personal data, use strong passwords, enable 2FA for online transactions, and watch out for fraudulent transactions and suspicious requests for their personal data."
Mr Iswaran added that Singaporeans can contact the Singapore Computer Emergency Response Team to report a cyber-security incident, and the Personal Data Protection Commission to report personal data breaches.