Data breach alerts in S'pore up on new reporting rules, more cyber threats: Experts

Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers.
Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers.PHOTO: ST FILE

SINGAPORE - The number of data breach alerts Singapore's data protection watchdog received tripled in the February-March period compared with the previous two months.

This comes amid a string of potential personal data leaks reported in recent months.

Legal and information technology security experts said the increase could have been due to a new data breach notification requirement companies must follow from Feb 1, as well as rising cyber-security threats.

The Personal Data Protection Commission (PDPC) told The Straits Times late last month that the February-March breach alerts it received involved organisations such as those from the finance, retail and manufacturing sectors.

The personal data compromised in those cases included names, e-mail addresses, personal identity numbers, financial details, phone numbers and postal addresses.

Experts said the data could be used for attempts to, for instance, take over victims' online accounts to spread malware or transfer money to hackers.

PDPC said "data breaches are often caused by human error as well as malicious activities such as phishing or cyber attacks".

While PDPC was not able to give more details, technology, media and telecoms lawyer Bryan Tan said the rising notifications are in line with the number of data breach cases his firm has seen.

Mr Tan, the cyber response lead for law firm Pinsent Masons Singapore, said his firm typically sees 10 Singapore data breach cases a year.

But from March-April, the firm has already received four cases, and this is also double the figure in the same year-ago period.

United States-based cyber risk analytics firm Risk Based Security said while it does not have comprehensive data for Singapore, it still recorded at least three data breaches in the first quarter.

This is already a third of the at least nine cases it logged for Singapore for the whole of last year.

The biggest case Risk Based Security recorded in Singapore for January to March this year was that for furniture retailer V.Hive.

In that data breach, which happened in March, a hacker group claimed to have stolen data of more than 300,000 customers.

Other cases reported in the last three months include those that affected third-party vendors of Singtel, Singapore Airlines and the National Trades Union Congress' Employment and Employability Institute, as well as a breach that hit local security firm Certis.

The Cyber Security Agency of Singapore said that, for now, the Certis and Singtel incidents, as well as one affecting Microsoft Exchange e-mail servers reported in March, have not affected Singapore's critical information infrastructure, like those in the transport and telecoms sectors.

Mr Tan said that the Feb 1 mandatory requirement for companies to report data breaches to PDPC within three days likely helped to push up notifications.

This is similar to the situation in Europe 12 months after the European Union's General Data Protection Regulation, which has breach reporting requirements, came into force in 2018, he noted.

Before Feb 1, it was voluntary for firms to report data breaches here. Now, they must report breaches that pose a significant risk of harm, such as financial or physical harm, or if it affects the data of 500 people or more.

"Covid-19 complicates matters as there are now additional risks because people are working from home. So that factor alone means that more breaches will likely happen," added Mr Tan.

Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers with the rapid move to work from home due to Covid-19, said Mr Yeo Siang Tiong, general manager for South-east Asia at cyber-security firm Kaspersky.

His company's products detected and blocked nearly 2.3 million Web threats here in the first quarter, a nearly 263 per cent jump from a year ago, which Mr Yeo said means data breaches will continue to happen.

Mr Kevin Reed, the chief information security officer of cyber-security firm Acronis, also noted cases of ransomware, which locks up digital files until firms pay hackers, have been rising here too.

For Singapore, the ransomware detection number increased by 45 per cent in the second half of last year compared with the first half.

Firms can soon be fined more for data breaches - up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. The maximum is $1 million now.

The higher fine is slated to take effect at least a year from Feb 1.