More than 200 court case files have been accessed by a few accused persons without authorisation through the State Courts' online case management system.
Preliminary findings show that they had exploited a loophole in the Integrated Criminal Case Filing and Management System (ICMS), and viewed court documents in e-case files other than their own, said the State Courts in a statement yesterday.
Typically, only accused persons with a valid account can access the ICMS Accused Person access portal to view their case files using SingPass authentication.
The State Courts was first alerted to a possible vulnerability on Nov 1, and discovered that 223 e-case files were accessed by a few accused persons without authorisation. Based on the preliminary investigations, the individuals had accessed the files over the course of this year.
"Immediate steps were taken to fix the vulnerability. The e-case files had not been tampered with, and the integrity of ongoing proceedings was not affected," the State Courts said.
As of Nov 9, the State Courts and its system vendor, Ecquaria Technologies, have implemented additional security measures to enhance user access controls, to protect the security and confidentiality of the information within, said the statement.
While police investigations are ongoing, criminal lawyer Sunil Sudheesan said the accused persons have likely committed an offence under the Computer Misuse Act.
"It is unfortunate, but the scope of the breach needs to be studied to see what info was taken," said Mr Sunil, head of the criminal department at Quahe Woo & Palmer.
For example, if only the charge sheets were viewed, there would be fewer negative implications for the victims as the information is technically public, said Mr Sunil.
However, there is a possibility that the accused persons might have accessed private medical reports such as psychiatric reports, he noted.
Lawyer Eugene Thuraisingam said as the data in the system may be deemed "protected", the accused may even face enhanced punishment, which could see them jailed for up to 20 years and fined $100,000.
He noted that while it was comforting that additional safeguards are in place, there should be no further breaches in the system.
"Especially in this digital day and age where data is accessible and can be published and disseminated easily, the importance of securing confidential data should not be overstated - not just the case files in themselves, but also the names, telephone numbers, e-mails, addresses of those involved," he said.