The personal information of about 4,000 people on the Singapore Art Museum's (SAM) online mailing list was compromised recently, said the art museum yesterday.
The names, e-mail addresses, phone numbers and, in some instances, nationalities of these individuals were illegally published on New Zealand-based storage website mega.co. nz for at least two hours on Nov 5 before the webpage containing the data file was taken down.
It is understood that no identity card numbers or credit card details were involved.
Speaking to reporters after a press conference, Mrs Rosa Daniel, deputy secretary (culture) at the Ministry of Culture, Community and Youth and chief executive officer of the National Heritage Board, said: "We take a very serious view of this incident."
She added: "What it has pointed to is for us to be vigilant and take strong measures to secure our information."
On Nov 4, the Infocomm Development Authority (IDA) got wind of a tweet by an individual named "CtrlSalad" who claimed to have "3.6k" e-mail, numbers, names and IP addresses including the Government's. It also provided the link to the mega.co.nz website.
On Nov 5, IDA informed SAM of CtrlSalad's tweet and that its data might have been illegally published and uploaded on an overseas server.
The museum immediately lodged a police report and removed the data file stored on SAM's website.
Another tweet on Nov 5 which might have been deleted said: "Oh I love being me! Should I release the Singapore Database I've been sitting on? Hmmm... in the name of @RaptorSwagger and #TheSwagWagon."
It is not clear whether CtrlSalad is in Singapore or elsewhere but The Swag Wagon appears to be a hackers' group.
Police are working with SAM and the National Heritage Board to investigate the incident, and are not ruling out any possibilities including hacking. The Straits Times understands that police are also questioning those who had access to the compromised data.
Nov 5 was Guy Fawkes' Day, which someone claiming to be from the global hackers' group Anonymous had threatened to mark with cyber attacks on Singapore.
SAM said it was unable to alert the public earlier as investigating agencies needed time to "verify and establish the extent of the incident". The museum began contacting affected individuals yesterday to inform them of the illegally published information. These people had attended SAM's events in 2011 and 2013.
In a copy of its e-mail obtained by The Straits Times, SAM said it "sincerely apologised for what happened" and that it has "taken measures to step up our cyber security to prevent future occurrence of such incidents".
The Straits Times understands SAM has conducted back-end checks to harden systems where possible. Additional safeguards are being put in place, such as more regular vulnerability scanning of servers and applications.
SAM has also removed an online form asking subscribers for their details, and will now have subscribers e-mail them directly. The data will be stored in "more secure data centres".
The compromised data had been stored on a SAM server which runs the museum's website.
"This is a convenient way of storing data but it would be much better if institutions store personal data of customers in a separate server with more layers of defence," said the co-chair of the Cyber Security Awareness Alliance, Ms Shirley Wong.