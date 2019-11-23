For four months, a folder containing personal information, such as contact details and examination results, of 6,541 people was inadvertently attached to e-mail messages sent by the Singapore Accountancy Commission (SAC).

Individuals who had their data breached included past and current candidates for the Singapore Chartered Accountant (CA) Qualification, personnel of accredited training organisations, and other people involved in the administration of the Singapore CA Qualification programme before May 17, said the SAC in a statement yesterday.

The e-mail messages, which were on administrative matters, were sent to 41 people in 21 accredited training organisations and one vendor. The information disclosed included names, NRIC numbers, dates of birth, contact details, education and employment information, and Singapore Chartered Accountant Qualification examination results.

Those affected were informed of the leak yesterday.

The breach, which occurred between June 12 and Oct 22, was discovered on Nov 7, after the commission implemented a new data protection filter recommended by the Public Sector Data Security Review Committee.

After discovering the incident, the commission contacted all 22 organisations on Nov 11 and requested that they delete the data folder and determine if the recipients of the folder had forwarded it to other people.

In its statement, SAC said all 22 organisations confirmed that the data folder and any forwarded data had been deleted.

It said: "The SAC takes a serious view of this incident, and deeply regrets this mistake. The SAC will set up a panel to review the incident and make any necessary recommendations."

The panel will be chaired by SAC chairman Chaly Mah, and comprise members of the SAC board, the Smart Nation and Digital Government Office, and the Public Service Division.

The Personal Data Protection Commission (PDPC), which serves as Singapore's main authority in matters relating to personal data protection, told The Straits Times it has been notified and is looking into the matter.

According to Ms Anne Petterd, a technology lawyer at Baker McKenzie Wong & Leow who specialises in data protection, a person who suffers loss or damage due to a data breach has the right to seek damages.

"However, an affected individual would need to wait until the PDPC's enforcement process has concluded," she said.

Mr Yeo Siang Tiong, general manager for South-east Asia at cybersecurity firm Kaspersky, said that the incident is "evidence that everyone should beef up our efforts towards protecting and handling such confidential data".

He added: "As Singapore progresses to become a highly digital nation, we recommend companies and organisations look into comprehensive training for their workforce to avoid such incidents in the future."