Parliament: SingPass outages traced to 'elusive' software bug in vendor's system, says Janil Puthucheary

The two outages to SingPass last month disrupted hundreds of essential e-government services in what was the longest disruption to SingPass since it was set up in 2003.
The two outages to SingPass last month disrupted hundreds of essential e-government services in what was the longest disruption to SingPass since it was set up in 2003.PHOTO: LIANHE ZAOBAO

SINGAPORE - Investigations showed that a software bug in the server of a vendor was behind the two SingPass outages last month, disrupting hundreds of essential e-government services in what was the longest disruption to SingPass since it was set up in 2003.

This was disclosed by Senior Minister of State for Communications and Information Janil Puthucheary in Parliament on Monday (March 19).

He said the software bug in the system of the vendor, Dutch cyber-security firm Gemalto, manifested itself only after an enhancement to the SingPass and CorpPass system in January this year. CorpPass, used by businesses, was also affected by the outages.

The enhancement complied with all technical specifications and was properly tested, he said. "However, the interaction between the enhancement and the software bug caused some records to persist in the system instead of being automatically removed 30 days after they expired, which was the root cause of the slowdown," he added.

Dr Janil was replying to a question from Dr Tan Wu Meng (Jurong GRC) on the outcome of investigations in the SingPass and CorpPass outages on Feb 8 and 9.

"While the bug itself was elusive, the symptoms - slowdown in system performance - could have been detected earlier," Dr Janil said.

"Our early detection and warning capabilities can be improved. We intend to do so by enhancing the software checks and diagnostics so that in such cases, the engineers can act before the system condition worsens to a state that would affect users."

 

Dr Janil added that while the system had the hardware backup to deal with hardware and infrastructure failure, such redundancy did not address unknown internal software bugs of this nature. "We will review the system design to improve all-round resiliency, beyond just hardware resiliency," he added.

Dr Janil also said the Government is reviewing its contracts with commercial providers to ensure that they adequately cover service outages.

The two outages lasted about 10 hours in total, disrupting hundreds of essential e-government services such as the filing of employees' Central Provident Fund (CPF) contributions and work permit applications. Some Malaysian workers had to return home as their work permit could not be processed. Companies risked fines because they could not file their employees' CPF contributions on time.

Experts have raised concerns that the SingPass authentication systems are not robust enough and could dent the public's trust in the national digital identity system, a key Smart Nation project.

SingPass has more than 3.3 million registered users and supports 57 million e-government transactions, including the filing of income taxes, parking fine payments and foreign domestic worker applications. CorpPass, rolled out in September 2016, is meant for corporate transactions, including the filing of corporate taxes and work permit applications.