Data breaches spike

More cases registered as new reporting rules kick in, say experts who also note a rise in cyber-security threats as hackers exploit work-from-home arrangements

TECH ILLUSTRATION BY MANNY FRANCISCO

The number of data breach alerts received by Singapore's data protection watchdog tripled in the February-March period compared with the previous two months.

This comes amid a string of potential personal data leaks reported in recent months.

Legal and IT security experts said the increase could have been due to a new data breach notification requirement that companies must follow from Feb 1, as well as rising cyber-security threats.

The Personal Data Protection Commission (PDPC) told The Straits Times late last month that the February-March breach alerts it received involved firms such as those from the finance, retail and manufacturing sectors.

The data compromised in those cases included names, e-mail addresses, personal identity numbers, financial details, phone numbers and postal addresses.

Experts said the data could be used for attempts to, for instance, take over victims' online accounts to spread malware or transfer money to hackers.

PDPC said "data breaches are often caused by human error as well as malicious activities such as phishing or cyber attacks".

While PDPC could not give more details, technology, media and telecoms lawyer Bryan Tan said the rising notifications are in line with the number of data breach cases his firm has seen.

Mr Tan, the cyber-response lead for law firm Pinsent Masons Singapore, said his firm typically sees 10 Singapore data breach cases a year.

But from March to April, it has already received four cases, and this is also double the figure in the same year-ago period.

United States-based cyber risk analytics firm Risk Based Security said that while it does not have comprehensive data for Singapore, it still recorded at least three data breaches in the first quarter. This is already a third of at least nine cases it logged for Singapore for the whole of last year.

The biggest case that Risk Based Security recorded in Singapore for January to March involved furniture retailer Vhive. In that breach, which happened in March, a hacker group claimed to have stolen the data of more than 300,000 customers.

Other cases reported in the past three months include those that affected third-party vendors of Singtel, Singapore Airlines and the National Trades Union Congress' Employment and Employability Institute, as well as a breach that hit local security firm Certis.

The Cyber Security Agency of Singapore said that, for now, the Certis and Singtel incidents, as well as one affecting Microsoft Exchange e-mail servers reported in March, have not affected Singapore's critical information infrastructure, like those in the transport and telecoms sectors.

Mr Tan said that the Feb 1 mandatory requirement for companies to report data breaches to PDPC within three days likely helped to push up notifications.

This is similar to the situation in Europe 12 months after the European Union's General Data Protection Regulation, which has breach reporting requirements, came into force in 2018, he noted.

Before Feb 1, it was voluntary for Singapore firms to report data breaches. Now, they must report breaches that pose a significant risk of harm, such as financial or physical harm, or if it affects the data of 500 people or more.

"Covid-19 complicates matters as there are now additional risks because people are working from home. So that factor alone means that more breaches will likely happen," added Mr Tan.

Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers with the rapid move to work from home due to Covid-19, said Mr Yeo Siang Tiong, general manager for South-east Asia at cyber-security firm Kaspersky.

His company's products detected and blocked nearly 2.3 million Web threats here in the first quarter, a nearly 263 per cent jump from a year ago, which Mr Yeo said means data breaches will continue to happen.

Mr Kevin Reed, chief information security officer of cyber-security firm Acronis, also noted an increase in cases of ransomware, which locks up digital files until firms pay hackers.

For Singapore, the ransomware detection number rose by 45 per cent in the second half of last year compared with the first half.

Firms can soon be fined more for data breaches - up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. The maximum fine is $1 million now.

The higher fine is slated to take effect at least a year from Feb 1.

A version of this article appeared in the print edition of The Straits Times on May 04, 2021, with the headline 'Data breaches spike'. Subscribe