Singapore

Key cybersecurity standards and requirements

Singapore’s cybersecurity legislative framework is made up primarily of the Cybersecurity Act 2018, the Personal Data Protection Act 2012 and the Computer Misuse Act. These statutes are also supplemented by a number of sector-specific regimes implemented by sectoral regulators.

The Cybersecurity Act 2018

The Cybersecurity Act 2018 (CSA) establishes a framework for the protection of critical information infrastructure (CII) against cybersecurity threats, the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore, and the regulation of providers of licensable cybersecurity services.[2]

CII are computers or computer systems that are necessary for the continuous delivery of an essential service in Singapore. The CSA has identified 11 critical sectors in this regard: energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, government and media.

Cyberattacks on CII may have profound and debilitating effects on Singapore at large. The CSA establishes a framework for the designation of CII and imposes obligations on the owners of CII to actively protect the CII from cyberattacks.

The CSA also empowers the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents to determine their impact, or potential impact, and prevent further harm or further cybersecurity incidents from arising. These powers may be exercised over any computer or computer systems even if they are not CIIs.

The Personal Data Protection Act 2012

The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data by organisations. A number of obligations are imposed on organisations under the PDPA. This includes an obligation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent: (1) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (2) the loss of any storage medium or device on which personal data is stored.[3]

The Personal Data Protection Commission (PDPC) is responsible for the administration and enforcement of the PDPA. The PDPC has broad powers of investigation. It is also empowered to give an organisation any direction as it thinks fit to ensure compliance with the data protection obligations under the PDPA. If the PDPC is satisfied that an organisation has breached its data protection obligations under the PDPA, it may require the breaching organisation to pay a financial penalty of up to S$1 million.[4]

The Computer Misuse Act

The Computer Misuse Act (CMA) criminalises certain acts such as the unauthorised access or modification of computer material. This would include acts such as hacking into a server to gain unauthorised access to files stored on the server or accessing an individual’s email account without their consent. Other acts criminalised by the CMA include acts relating to distributed denial-of-service attacks, website defacement and infecting a computer with malware. The CMA has extra-territorial reach and may apply even where the wrongdoer, and the computer targeted by the wrongdoer in the commission of an offence under the CMA, were both outside Singapore at all material times. For example, the offence in question may be dealt with as if it had been committed within Singapore if it causes, or creates a significant risk of, serious harm in Singapore.[5]

Sector-specific frameworks

The CSA, PDPA and CMA are complemented by other sector-specific legislative provisions intended to protect personal data. For example, the Banking Act provides that the unauthorised disclosure of customer information by a bank, or any of its officers, would be an offence under the Act.

Regulators have also put in place sector-specific regimes to supplement legislation to address cybersecurity concerns in this regard. The banking and financial sector and the telecommunications sectors have robust regimes regulated by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) respectively.

The MAS issued its Technology Risk Management Guidelines, which set out technology risk management principles and best practices for the financial sector. They are intended to guide financial institutions in establishing sound and robust technology risk governance and oversight and to maintain cyber resilience. This is in addition to Notices on Cyber Hygiene and Notices on Technology Risk Management that are legally binding on financial institutions.

In the telecommunications sector, the IMDA has issued a Telecommunications Cybersecurity Code of Practice to enhance the cybersecurity preparedness of designated licensees. It is presently imposed on major internet service providers in Singapore for mandatory compliance and its coverage includes their network infrastructure providing internet services in Singapore.

Summary of breach notification rules

Data breach[6] notifications under the PDPA

A mandatory breach notification framework under the PDPA came into force on 1 February 2021. It encompasses three broad steps an organisation should take in this regard:

  • assessing whether a data breach is a notifiable breach;
  • determining time frames for the provision of notifications; and
  • the provision of the notifications.

Organisations may refer to the following for guidance on complying with the data breach notification obligation under the PDPA:

  • Personal Data Protection (Notification of Data Breaches) Regulations 2021;
  • the data breach notification obligation chapter of the Advisory Guidelines on Key Concepts in the PDPA published by the PDPC; and
  • the Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act published by the PDPC.

Assessing whether a data breach is a notifiable data breach

If an organisation has credible grounds to believe that a data breach has occurred, it would be required to take reasonable and expeditious steps to assess whether the data breach is a notifiable breach under the PDPA within 30 calendar days. An organisation will need to notify the PDPC of two classes of data breach under the PDPA.

The first class of notifiable data breaches relates to data breaches that are likely to result in significant harm or impact to the individuals to whom the information relates. Significant harm could include physical, psychological, emotional, economic and financial harm, as well as harm to reputation and other forms of harms that a reasonable person would identify as a possible outcome of a data breach.[7]

To provide certainty to organisations in respect of notifiable data breaches, the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (the Data Breach Notification Regulations 2021) sets out specified categories of personal data that would be deemed to result in significant harm to affected individuals if compromised in a data breach. Where a data breach involves any of these categories of personal data, the organisation in question must notify the PDPC and the affected individuals of the data breach.

The second class of notifiable data breaches relates to data breaches that are of a significant scale. A data breach is of significant scale if it involves the personal data of 500 or more individuals.[8] An organisation must notify the PDPC of such a data breach even if the data breach does not involve any of the specified categories of personal data under the Data Breach Notification Regulations 2021. If an organisation is unable to determine the actual number of individuals in a data breach before its time frame for notification lapses, the organisation should notify the PDPC when it has reason to believe that the number of affected individuals is at least 500. This may be based on the estimated number from an initial appraisal of the data breach. The organisation may subsequently update the PDPC of the actual number of affected individuals when it is established.[9]

Time frame for the notification of a notifiable data breach

Once an organisation determines that a data breach is a notifiable data breach, the organisation must notify the PDPC as soon as practicable and within three calendar days at the latest and, where required, affected individuals as soon as practicable, at the same time or after notifying the PDPC. These time frames for notification start running from the time at which the organisation determines that the data breach is a notifiable breach. Any unreasonable delays in notification would be a breach of the PDPA. This may attract enforcement action against the organisation by the PDPC.

Exceptions to the requirement to notify affected individuals

The PDPA provides certain exceptions to the requirement to notify affected individuals of a notifiable data breach in certain circumstances.

The remedial action exception:[10] An organisation would not need to notify affected individuals of a notifiable data breach if it takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individuals.

The technological measure exception[11]

An organisation would not need to notify affected individuals of a notifiable data breach if it had implemented, prior to the occurrence of the data breach, any technological measures that renders it unlikely that the notifiable data breach will result in significant harm to the affected individuals. For example, the exception would apply where such technological measures had been applied to the personal data (e.g., encryption and password protection), before the data breach, which renders the personal data inaccessible or unintelligible to an unauthorised party.[12]

It must be borne in mind that these exceptions only apply to the requirement to notify affected individuals; the organisation in question is still required to notify the PDPC of the data breach in accordance with the time frame set out above.

The provision of data breach notifications to the PDPC

An organisation providing notification of a notifiable data breach to the PDPC or affected individuals is required to provide relevant details of the data breach to the best of its knowledge and belief. The notification should also include relevant information about the organisation’s data breach management and remediation plans.[13]

A notification to the PDPC of a notifiable data breach must include the following information:

  • The facts of the data breach. This would include:
    • the date on which, and the circumstances in which, the organisation first became aware that a data breach had occurred;
    • information on how the data breach occurred;
    • the number of individuals affected by the data breach;
    • the personal data, or classes of personal data, affected by the data breach; and
    • the potential harm to the affected individuals as a result of the data breach.
  • The manner in which the organisation is handling the notifiable data breach. This would include:
    • a chronological account of the steps taken by the organisation after it became aware that the data breach had occurred, including the organisation’s assessment that the data breach was a notifiable data breach;
    • information on any action taken by the organisation:
    • to eliminate or mitigate any potential harm to any affected individual as a result of the notifiable data breach;
    • to address or remedy any failure or shortcoming that the organisation believes to have caused, or enabled or facilitated the occurrence of, the data breach; and
    • information on the organisation’s plan (if any) to inform all or any affected individuals or the public that the data breach has occurred and how an affected individual may eliminate or mitigate any potential harm as a result of the data breach.
  • The contact details of at least one authorised representative of the organisation.

If the data breach notification to the PDPC is not made within three calendar days of ascertaining that it is a notifiable breach, the organisation must also set out the reasons for the late notification, and include any supporting evidence in this regard, as part of the notification.

If an organisation does not intend to notify any individual affected by the data breach, the notification to the PDPC must also set out the grounds on which the organisation is relying on – whether under the PDPA or other written law – for not notifying the affected individual.

The provision of data breach notifications to individuals affected by a notifiable data breach

Notifications to individuals affected by a notifiable data breach must include the following information:

  • The facts of the data breach. This would include:
    • the circumstances in which the organisation first became aware that a notifiable data breach has occurred; and
    • the personal data or classes of personal data relating to the affected individual affected by the notifiable data breach.
  • The organisation’s data breach management and remediation plan. This would include:
    • the potential harm to the affected individual as a result of the data breach;
    • information on any action by the organisation, whether taken before or to be taken after the organisation notifies the affected individual to eliminate or mitigate any potential harm to the affected individual as a result of the data breach and to address or remedy any failure or shortcoming that the organisation believes to have caused, or have enabled or facilitated the occurrence of, the data breach; and
    • steps that the affected individual may take to eliminate or mitigate any potential harm as a result of the notifiable data breach, including preventing the misuse of the affected individual’s personal data affected by the notifiable data breach.
  • Contact details of at least one authorised representative of the organisation.

Notifications to affected individuals should be clear and easily understood. Where the data breach involves information related to adoption matters or the identification of vulnerable individuals, organisations should first notify the PDPC for guidance on notifying the affected individuals.[14]

Cybersecurity incidents involving CII

The CSA also requires an organisation that has been designated an owner of CII to notify the Commissioner of Cybersecurity of the occurrence of a cybersecurity incident within two hours of becoming aware of the same. Such cybersecurity incidents include:

  • the unauthorised hacking of a CII;
  • the installation or execution of unauthorised software or code on a CII;
  • man-in-the-middle attacks, session hijacks or any other unauthorised interception of communications between a CII and an authorised user; and
  • denial-of-service attacks.

The organisation must then submit the following details within 14 days of the initial notification:

  • the cause or causes of the cybersecurity incident;
  • any impact on the CII, interconnected computers or systems; and
  • any remedial measures that the organisation took.[15]

Sector-specific breach notification requirements

Sectoral regulators may also impose sector-specific breach notification requirements that apply over and above those imposed on organisations by way of legislation.

For example, the MAS requires a regulated financial institution to notify the MAS within one hour of discovering a system malfunction or IT security incident that has a severe and widespread impact on its operations or materially impacts its service to customers. The affected financial institution must then submit a root cause and impact analysis report to the MAS within 14 days of the discovery of the incident.[16]

Best practices for cyber incident response

Organisations should have a cyber incident response (CIR) plan in place to swiftly contain and neutralise a cyber incident. The CIR plan should contain clear and concise procedures for responding to various forms of cyber incidents. This would include responses to ransomware, distributed denial of service and data exfiltration. An organisation should develop its CIR plan in consultation with its key business departments to ensure that it takes into account business and operational recovery requirements. Organisations may also consider appointing external consultants and vendors to assist in developing its CIR, where appropriate.

It is imperative that organisations have a dedicated internal incident response team to be activated immediately upon the detection of suspected or confirmed cybersecurity or data breaches to swiftly put the CIR plan into action. An organisation’s internal incident response team should include, among other things:

  • a team leader with the relevant expertise and who has been given a clear mandate and decision-making powers to ensure a rapid response to contain and manage the cyber incident;
  • the IT specialist who is responsible for the organisation’s IT infrastructure and cybersecurity; and
  • an administrative manager to manage and coordinate the administrative aspect of the incident response. This would include coordinating meetings, maintaining a log of tasks that have been allocated or need to be allocated for the response, recording notes of meetings, and disseminating any relevant communications within the organisation (e.g., document hold notifications).

The incident response team should be in a position to swiftly determinate whether the nature and severity of the cyber incident is beyond the expertise of the organisation’s personnel.

Organisations should also consider appointing external legal counsel promptly depending on the severity of the cyber incident. Specialist cybersecurity lawyers would be well placed to coordinate and manage a cyber incident response bearing in mind potential regulatory and litigation issues that may arise. More importantly, the appointment of external legal counsel at the earliest stages would allow them to structure a cyber incident response or forensic investigation to ensure that legal professional privilege is established and preserved as far as possible from the outset.

Depending on the severity of the incident, other external service providers that an organisation may consider engaging are:

  • cybersecurity experts to contain the incident, prevent further compromise of data and preserve electronic evidence;
  • forensic experts to investigate the cause of the incident; and
  • public relations specialists to deal with any reputational impact that may arise from the breach.

These service providers should work in conjunction with the organisation’s legal counsel to ensure the organisation’s interests are protected as far as possible. For example, external public relations communications should be vetted by legal counsel to ensure that false or defamatory statements are not made in allocating blame to a party for a cyber incident.

Organisations must comply with the notification requirements that have been summarised earlier as part of their response. Organisations may also consider alerting the Singapore Police Force if criminal activity is suspected and contacting the Singapore Computer Emergency Response Team (SingCERT) for assistance in containing the cyber incident.

The PDPC has issued a Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act that recommends good practices to help organisations prepare for data breaches with a data breach management plan and sets out some key considerations for organisations responding to data breaches. These include considering the following actions in responding to such breaches:

  • isolating the compromised system from the Internet or network by disconnecting all affected systems;
  • re-routing or filtering network traffic, firewall filtering, closing particular ports or mail servers;
  • preventing further unauthorised access to the system. Disabling or resetting the passwords of compromised user accounts;
  • isolating the causes of the data breach in the system and, where applicable, changing the access rights to the compromised system;
  • stopping the identified practices that led to the data breach;
  • establishing whether the lost data can be recovered and implementing further action to minimise any harm caused by the data breach; and
  • recording details of the data breach and post-breach responses in an incident record log.

Information collated from cybersecurity and data breaches should be used to improve the existing cybersecurity measures implemented within the organisation and to refine the organisation’s CIR plan.

Cybersecurity and incident response trends

Cybersecurity is increasingly being viewed as a risk management issue, and not merely a technical or IT issue, because of how common attacks are and the potential for huge damage to be caused to an organisation from such attacks.

This has resulted in organisations detecting and containing cyberattacks much more swiftly over the past decade. One of the most striking trends has been the significant reduction in global median dwell time[17] from 416 days in 2011 to 24 days in 2020.[18]

Organisations in the Asia-Pacific region (APAC) appear, however, to be at higher risk compared to other regions in this regard. The median APAC dwell time was 76 days in 2020. This is more than three times as long as the global median dwell time. Attackers also continue to maintain access to compromised APAC organisations for extensive periods of time: 10 per cent of breaches investigated in APAC during 2020 showed dwell times of more than three years and 4 per cent showed dwell times of more than nine years.[19]

The rise of cybercrime in Singapore

Cybercrime is also on the rise in Singapore. The Cyber Security Agency of Singapore recently revealed that 16,117 cases of cybercrime were reported in Singapore in 2020. This accounted for 43 per cent of overall crime in Singapore in 2020 – substantially more than the 6,215 cybercrime cases reported in 2018 and the 9,349 that were reported in 2019.

Ransomware, in particular, has gained prominence, with the manufacturing, retail and healthcare sectors being targeted in particular.[20] This is in line with a common trend globally: ransomware is no longer seen as a sporadic nuisance affecting only a handful of machines; it has, instead, been described as a massive, systemic threat affecting entire networks of large organisations.[21]

In one such incident, staff from a food and beverage business discovered in August 2020 that their company servers and devices were infected with NetWalker, a prevalent ransomware strain. The ransom note instructed them to visit a webpage on the Dark Web to view the ransom demands. The company had stored all its backups on the affected servers and none of its data could be recovered. The company was forced to rebuild its IT system from scratch.[22]

Phishing also continues to be prevalent in Singapore, with around 47,000 phishing URLs with a Singapore link detected in 2020. This reflected a very slight decrease of 1 per cent as compared to 2019. Of these, more than half of the organisations targeted were big technology or social networking firms (such as Apple, Facebook, Linkedin and Whatsapp) and entities in the banking and financial sector (Chase Personal Banking, PayPal and Bank of America).[23] Singapore government organisations were also not spared, with the Singapore Police Force, the Ministry of Manpower and the Ministry of Education being the most commonly spoofed government organisations in Singapore.[24]

The covid-19 landscape in Singapore

The covid-19 landscape in Singapore has given rise to its own set of issues. Cyberattacks that use covid-19 to lure victims had spiked across industries by more than 100 times from March to April 2020. The healthcare sector has been hit hard in particular, with a surge of attacks by almost 200 times in the first four months of 2020.[25]

The transition to remote work set ups in 2020 has also led to an increase in the attack surface area available to threat actors. The abrupt nature of the transition, necessitated by the unprecedented nationwide ‘lockdown’ or ‘circuit breaker’ imposed in Singapore from April 2020, forced organisations to adopt a patchwork of technological solutions to maintain business continuity. This also meant that threat actors now had a much larger pool of potential targets to choose from given the spike in telecommuters.[26] Threat actors targeting remote work settings have attempted to carry out malicious activities by exploiting vulnerabilities on two levels.[27]

  • At the infrastructure level: the increased use of applications to facilitate remote collaborations has also led to an increased risk of vulnerabilities in these applications being exploited by threat actors. For example, Singapore’s Ministry of Education was forced to suspend the use of the video conferencing platform Zoom on 9 April 2020 as a home-based learning class carried out over the platform was hijacked. Home office set ups have also led to an increase in organisations’ exposure to hacking attempts given that home office networks tend to be less secure.
  • At the individual level: people may show greater willingness to take on calculated security risks and trade-offs in order to get work done remotely, such as discussing confidential matters with colleagues over unsecured video conference calls. Less caution may also be exercised when downloading telecommuting applications or VPN clients.

A recent survey also revealed that more than half of the Singapore organisations polled have reported that the covid-19 pandemic has slowed down the detection time of a cyber incident in their organisation.[28]

Regulatory considerations

The primary concern of the majority of organisations in Singapore continues to lie in their compliance with the data protection obligations imposed by the PDPA. This is especially so given the heightened regulatory focus on ensuring that organisations protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the Protection Obligation). As a point of illustration, around 70 per cent of the enforcement decisions published by the PDPC in 2016 were related to the Protection Obligation. In comparison, over 95 per cent of the enforcement decisions published in 2020 were related to the Protection Obligation. This heightened regulatory focus also culminated in the introduction of the mandatory breach notification regime under the PDPA, which came into force in February 2021.

While it is not possible to prescribe a one-size-fits-all solution for every organisation, there are a number of steps an organisation may take to ensure that it remains in compliance with the PDPA in the cybersecurity context. The PDPC has provided some examples of technical measures an organisation may take to protect personal data, such as:[29]

  • ensuring computer networks are secure;
  • adopting appropriate access controls and authentication measures;
  • encrypting personal data to prevent unauthorised access;
  • installing appropriate and up-to-date computer security software and utilising suitable computer security settings; and
  • updating computer security and IT equipment regularly.

It would also be prudent for an organisation to conduct regular security and risk assessments. This may take the form of penetration tests and vulnerability assessments. It should also regularly test its detection and response capabilities to stress test its CIR plan and to ensure that it remains robust.

The PDPC has released a number of publications intended to assist organisations in developing good data protection practices in their info-comm technology (ICT) systems and processes to improve their cybersecurity resilience as well as capabilities in data breach prevention. This includes:

  • the Guide to Data Protection by Design for ICT Systems, which contains data protection practices from past Advisory Guidelines and Guides issued by the PRPC. It also incorporates lessons learnt from past data breach cases that should be adopted by organisations in their ICT policies, systems and processes to safeguard the personal data under their care; and
  • a handbook titled ‘How to Guard Against Common Types of Data Breaches’, which is based on past data breach cases handled by the PDPC. It is complemented by checklists an organisation may refer to ensure that policies and processes put in place avoid the common gaps that often result in such data breaches.

The actions, or inaction, of an organisation may be taken into account in any subsequent enforcement action taken by the PDPC against the organisation in respect of a data breach, such as:

  • the fact that an organisation had been conducting regular penetration tests, vulnerability tests and code reviews to guard against online security threats was considered in calibrating the financial penalty to be imposed on the organisation;[30]
  • swift and effective remedial action by an organisation to mitigate the impact of a breach has been treated as a mitigating factor by the PDPC in enforcement action taken against the organisation;[31]
  • the fact that an organisation was cognisant of certain risks of unauthorised access and disclosure to exposed personal data, but had failed to resolve the issue for more than two years, was taken as an aggravating factor;[32] and
  • the fact that a compromised password had not been changed for 10 years and the organisation was unable to detect unauthorised access of personal data for about two years, were taken as aggravating factors.[33]

Litigation considerations

Civil proceedings arising from a cybersecurity incident or data breach

The right of private action under the PDPA

A person who suffers loss or damage directly as a result of an organisation’s contravention of its data protection obligations under the PDPA may seek recourse in civil proceedings before the Singapore Courts.[34] In such proceedings, the court may grant relief by way of an injunction or declaration, damages and any other relief as the court thinks fit.[35] The Singapore courts have held that this right of private action under the PDPA is only available to individuals and not to companies.[36] The Singapore courts have also held that the reference to ‘loss or damage’ in respect of the right of private action under the PDPA is to be limited to the heads of loss or damage applicable to torts under the common law (e.g., pecuniary loss, damage to property, personal injury including psychiatric illness) and does not include distress or the loss of control over personal data.[37] This is a notable departure from a number of other jurisdictions such as the United Kingdom, Canada and Hong Kong.[38] The English courts, for example, have held that damages may be awarded in this regard for distress, or the loss of control over personal data, without proof of pecuniary loss.[39]

Civil proceedings under other causes of action

There are a number of potential causes of action that may arise in the data breach context. An action in negligence may potentially be brought against an organisation that has breached its duty of care by, for example, failing to prevent data (e.g., credit card information) from being accessed by a cyber attacker.

A breaching organisation may also be liable for a claim in breach of contract where, for example, the breaching organisation had a contractual obligation to secure and protect the counterparty’s data under a service agreement or where an organisation was subject to a contractual obligation of confidentiality. Disclosure of confidential information – whether intentional or inadvertent – may also give rise to a cause of action in breach of confidence even in the absence of a contractual relationship.

Directors of the breaching organisation may also face personal liability, such as where they fail to respond to a cybersecurity incident or data breach due to a lack of reasonable diligence (which could potentially be a breach of their duties owed to the organisation as a director).

Legal professional privilege

Legal professional privilege would inevitably be a primary consideration in any investigations or legal proceedings commenced against an organisation in respect of a cybersecurity incident. There are two forms of privilege an organisation should be mindful of in this regard:

  • litigation privilege may be asserted over documents that are created for the dominant purpose of pending or contemplated litigation, where there is a reasonable prospect of litigation at the time the documents were created; and
  • legal advice privilege may be asserted over to communications between an organisation and its legal counsel containing legal advice or for the purpose of seeking legal advice. Unlike litigation privilege, it does not require the existence or contemplation of legal proceedings before it may be asserted.

Depending on the severity of the incident in question, it may be prudent to appoint external counsel from the outset to establish and maintain both forms of privilege as far as possible. Organisations should note that privilege may not be asserted over documents that are already in existence prior to the establishment of the solicitor–client relationship and cannot be conferred merely by sending such material to external legal counsel. The timing at which counsel is engaged may therefore have important repercussions. For example, draft incident reports prepared before the appointment of external counsel may not be privileged and may be required to be disclosed in discovery.

Privileged documents and communications should always be marked appropriately and conspicuously (e.g., ‘Strictly confidential and subject to legal professional privilege’). While marking a document would not, in and of itself, result in the document being protected by privilege, it would facilitate the identification of privileged documents so privilege may be asserted over the same more expediently.

There may be occasions where regulatory authorities or law enforcement agencies seize privileged material. For example, a computer that is seized may contain both privileged and non-privileged documents within its hard disk. Privilege should be asserted at the time of seizure or as soon as practicable. External counsel may also act to ensure that the risk of privilege being breached is curtailed as far as possible during the investigation process. This could involve, among others, external counsel identifying documents that are protected by privilege and should be returned (as in the case of hardcopy documents), or isolated or quarantined if the return of the documents is not possible (as in the case where the identified documents are soft copy documents found in an electronic storage device). The isolation or quarantine of such documents may be done, for example, by locking the documents in a password-protected folder.

Types of threats and threat actors: criminal, nation-state, insider (intentional and accidental)

This section will provide illustrations of the different types of threats and threat actors, ranging from nation-state actors to company insiders, present in the Singapore cyber landscape.

Criminal

Singapore has seen a significant rise in cybercrime, with the increasing prevalence of ransomware attacks of particular concern. More than half of the organisations in Singapore that suffered a ransomware attack from April 2019 to April 2020 have paid up the ransom. These organisations have paid ransoms of up to US$14 million, with 37 per cent of them paying between US$140,000 to US$1.4 million. A quarter of these organisations were subsequently hit by a second ransomware attack by the same cyber criminals. Two-thirds of these organisations were also subsequently hit by a second ransomware attack but by different cyber criminals. Even when ransoms were paid, 28 per cent of the locked-up data that was released to these organisations were corrupted.[40]

Another survey showed that 73 per cent of the Singapore organisations polled reported that their organisation suffered significant revenue losses as a direct result of a ransomware attack, with 40 per cent reporting that their organisation suffered reputational damage as a result of a ransomware attack, and 20 per cent reported that an attack had forced the closure of their organisation for a period of time.[41]

Covid-19 related incidents have also become more prominent, with key targets being the healthcare and education sectors. A number of fake covid-19 contact tracing mobile applications, including a fake TraceTogether[42] mobile application, with the ability to deliver malware were also detected. The Singapore Police Force also issued an advisory on covid-19 vaccination-related scams after the Singapore government commenced its nationwide covid-19 vaccination programme.[43]

Nation-state

In an unprecedented cyberattack on Singapore Health Services Pte Ltd’s (SingHealth) patient database system, the personal data of around 1.5 million patients, and the outpatient prescription records of nearly 160,000 patients, were exfiltrated between 27 June to 4 July 2018 in what has been described as ‘the worst breach of personal data in Singapore’s history’.[44] The Prime Minister of Singapore’s personal and outpatient medication data was specifically targeted and repeatedly accessed during the course of the attack.[45]

At the time of the cyberattack, SingHealth was the owner of the system, which comprised, among others, the database in question. Integrated Health Information Systems Pte Ltd (IHiS) was responsible for administering and operating this system, including implementing cybersecurity measures.[46]

The attack was attributed to sophisticated state-linked actors who wrote customised malware to circumvent SingHealth’s antivirus and security tools. The identity of the state thought to be behind the attack was not revealed for national security reasons.[47]

Following the cyberattack, a Committee of Inquiry was convened to investigate the events and contributing factors leading to the incident. The Committee of Inquiry found that the attack could have been stopped if staff had been adequately trained and taken appropriate action. It also pointed out that there were vulnerabilities in SingHealth’s network and systems that contributed to the successful cyberattack, many of which could have been remedied before the attack.[48]

The PDPC also commenced its own investigations and found SingHealth and IHiS to be in breach of the PDPA. IHiS was fined S$750,000 while SingHealth was fined S$250,000. These remain the largest and second largest financial penalties ever imposed by the PDPC to date.

Insider (intentional and accidental)

An insider within an organisation may pose a threat in many forms. An insider may seek to compromise data for his or her own benefit. In October 2020, it came to light that personal information from over one million accounts had been illegally accessed and stolen from a well-known e-commerce platform in Singapore to be sold online. The personal information stolen included names, phone numbers, email and mailing addresses, encrypted passwords and partial credit card numbers.[49]

An insider may also cause tremendous damage to an organisation and individuals by compromising data for nefarious reasons. For example, it was reported in 2019 that the HIV-positive status of 14,200 people in Singapore – along with confidential information such as their identification numbers and contact details – was leaked online. The former Head of Singapore’s Ministry of Health’s National Public Health Unit had access to the country’s HIV registry for work purposes. He was believed to have allegedly mishandled the information and failed to comply with policies on the handling of confidential information. The database found its way into the hands of his partner, a HIV-positive American who had been residing in Singapore, who orchestrated the leak and attempted to use the stolen database to extort money from the Singapore government.[50]

An insider does not need to have any ill-intentions to be a threat to an organisation. He or she could simply be an individual who has made an inadvertent mistake. By way of illustration, the server of a home-grown gaming hardware company had been misconfigured to allow public access to it. This resulted in personal information of about 100,000 of its customers being potentially put in danger of exposure to the public.[51]


Footnotes

1 Brinden Anandakumar is an associate director at Fullerton Law Chambers LLC.

2 Explanatory Statement of the Cybersecurity Act.

3 Section 24 of the PDPA.

4 The maximum financial penalty the PDPC may impose on an organisation for the breach of the data protection obligations under the PDPA will be amended to either S$1 million, or 10 per cent of the breaching organisation’s annual turnover in Singapore, whichever is higher, on a further date to be notified (and no earlier than 1 February 2022).

5 Section 11 of the CMA.

6 A data breach in this context generally refers to any unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data in an organisation’s possession or under its control: see Section 26A of the PDPA.

7 Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act (Revised on 15 March 2021), p. 23.

8 Regulation 4 of the Personal Data Protection (Notification of Data Breaches) Regulations 2021.

9 Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act (Revised on 15 March 2021, p. 24.

10 Section 26D(5)(a) of the PDPA.

11 Section 26D(5)(b) of the PDPA.

12 Advisory Guidelines on Key Concepts in the PDPA (Revised on 1 October 2021), paragraph 20.30.

13 Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act (Revised on 15 March 2021), p. 25.

14 Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act (Revised on 15 March 2021), p. 28.

15 Section 14 of the CSA.

16 Notice on Technology Risk Management, paragraphs 7 and 8.

17 Dwell time is calculated as the number of days an attacker is present in a victim environment before they are detected.

18 FireEye Mandiant M-Trends 2021 Report.

19 M-Trends 2021 Report by FireEye Mandiant Services.

20 The Singapore Cyber Landscape 2020, Cyber Security Agency of Singapore, p. 6

21 The Singapore Cyber Landscape 2020, Cyber Security Agency of Singapore, p. 5

22 The Singapore Cyber Landscape 2020, Cyber Security Agency of Singapore, p. 27

23 The Singapore Cyber Landscape 2020, Cyber Security Agency of Singapore, p. 17.

24 The Singapore Cyber Landscape 2020, Cyber Security Agency of Singapore, p. 6.

25 Jeraldine Yap, ‘Rise in cyber attacks across all sectors from March to April; healthcare tops list for attacks’, CNA, 17 June 2020, https://www.channelnewsasia.com/news/singapore/rise-in-cyber-attacks-across-all-sectors-from-march-to-april-12845532?cid=h3_referral_inarticlelinks_24082018_cna.

26 The Singapore Cyber Landscape 2020, Cyber Security Agency of Singapore, p. 13.

27 The Singapore Cyber Landscape 2019, Cyber Security Agency of Singapore, p. 49.

29 Advisory Guidelines on Key Concepts in the PDPA (Revised on 1 October 2021), p. 115.

30 See ComGateway (S) Pte Ltd [2017] SGPDPC 19.

31 See Zero1 Pte Ltd and XDEL Singapore Pte Ltd [2019] SGPDPC 37 and Singapore Telecommunications Limited [2019] SGPDPC 49.

32 Institute of Singapore Chartered Accountants [2018] SGPDPC 28.

33 SPH Magazines Pte Ltd [2020] SGPDPC 3.

34 Section 48O(1) PDPA.

35 Section 48O(3) PDPA.

36 IP Investment Management Pte Ltd v. Alex Bellingham [2019] SGDC 207.

37 Bellingham, Alex v. Reed, Michael [2021] SGHC 125, paragraphs 76 to 82, and 93. This decision interpreted the scope of the right of private action provided by Section 32(1) of the version of the PDPA in force in 2018. Section 32(1) has since been repealed and replaced by Section 48O of the PDPA, which is broadly similar in substance. The Court’s interpretation of ‘loss and damage’ in respect of Section 32(1) is therefore likely to continue to apply in respect of Section 48O.

38 Bellingham, Alex v. Reed, Michael [2021] SGHC 125, paragraphs 56 to 70.

39 See Vidal-Hall and others v. Google Inc (Information Commissioner intervening) [2016] QB 1003 and Lloyd v. Google llc [2020] 2 WLR 484.

40 It doesn’t pay to pay ransom to hackers: Study, Kenny Chee, The Straits Times, 22 June 2021, https://www.straitstimes.com/tech/tech-news/it-doesnt-pay-to-pay-ransom-to-hackers-study-0.

41 pp. 7, 9 and 14 of Ransomware: The True Cost to Business, Cybereason, April 2021, https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf.

42 TraceTogether is the digital contact tracing system introduced by the Singapore government to facilitate its contact tracing efforts to contain the spread of the covid-19 virus.

43 Police Advisory on Covid-19 Vaccination-related Scams, Singapore Police Force, 4 February 2021, https://www.police.gov.sg/media-room/news/20210204_police_advisory_on_covid-19_vaccination-related_scams.

44 Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3, paragraph 1.

45 Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited’s Patient Database on or around 27 June 2018 dated 10 January 2019, paragraph 1.

46 Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited’s Patient Database on or around 27 June 2018 dated 10 January 2019, paragraph 3.

47 Irene Tham, ‘SingHealth breach work of a typical state-linked group’, The Straits Times, 7 August 2018, https://www.straitstimes.com/singapore/singhealth-breach-work-of-a-typical-state-linked-group.

48 Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited’s Patient Database on or around 27 June 2018 dated 10 January 2019, paragraph 287.

49 Jeraldine Yap, ‘Lazada suffers data breach; personal information from 1.1 million RedMart accounts for sale online’, CNA, 30 October 2020, https://www.channelnewsasia.com/news/singapore/lazada-redmart-data-breach-personal-information-millions-account-13415688.

50 ‘HIV-positive status of 14,200 people leaked online’, CNA, 28 January 2019, https://www.channelnewsasia.com/news/singapore/hiv-positive-records-leaked-online-singapore-mikhy-brochez-11175718; Charissa Yong, ‘Mikhy Farrera-Brochez sentenced to two years’ jail over Singapore HIV patient data leak’, The Straits Times, 28 September 2019, https://www.straitstimes.com/world/united-states/mikhy-farrera-brochez-sentenced-to-two-years-over-singapore-data-leak.

51 Goh Yan Han, ‘Data breach of potentially 100,000 Razor customers worldwide discovered by cyber security consultant’, The Straits Times, 15 September 2020, https://www.straitstimes.com/singapore/data-breach-of-potentially-100000-razer-customers-worldwide-discovered-by-cybersecurity.

Get unlimited access to all Global Investigations Review content