The number of Singapore government data security incidents rose from 75 in the 2019 financial year to 108 in FY2020, representing a year-on-year increase of 44 per cent.
However, although the number of data incidents has nearly doubled in a year, there has been a downward trend in the severity of the incidents, with none of the incidents logged in FY2020 assessed to be of high severity. Moreover, all incidents were addressed within 48 hours.
This is according to the second update on the Singapore government’s personal data protection efforts, released on 27 July.
The latest update focuses on initiatives carried out between the beginning of October 2020 and the end of March 2021, while the inaugural update covered the period from November 2019 to 30 September 2020.
The latest report suggests that the increase in data incidents reported correlates with trends seen in the private sector and globally, as the exchange and usage of data grows.
“The increase also reflects increased awareness and improved understanding among public officers to report all data incidents, regardless of scale or impact,” Singapore’s Smart Nation and Digital Government Office (SNDGO) said in a statement.
Out of the 108 government data incidents in FY2020, six were detected as a result of public reports made to the Government Data Security Contact Centre (GDSCC), which was set up in April 2020 for members of the public to report data incidents involving government data or government agencies.
Additionally, the latest report revealed that, this year, several individuals have been charged under the Official Secrets Act (OSA) for the unauthorised disclosure of information related to Singapore’s response to COVID-19.
“Public officers found to have made unauthorised use or disclosure of government data will be held accountable,” SNDGO said.
The latest report comes as the government works to implement advanced technical solutions to further strengthen the public sector’s data security posture.
In November 2020, for example, the government implemented the Government Commercial Cloud (GCC) Privileged Identity Management (PIM) solution.
“With more government systems migrating to the cloud as part of our ‘Cloud-First’ strategy, the GCC-PIM solution will ensure that access by privileged users (i.e. those whose roles require wide access to data), such as system administrators, will be secured and monitored to prevent unauthorised use of data,” the Office noted.
At the same time, the government has started to develop whole-of-government (WOG) data loss protection (DLP) services, which tap into technical and process controls to detect anomalous activities, such as unexpected downloads of large amounts of data to personal computers, that are indicators of possible malicious activity or data incidents.
The implementation of the WOG DLP services will commence by the end of 2021, SNDGO said.
The local region has been rocked by a number of high profile data breaches resulting from cyber attacks this year.
In early March, Malaysia Airlines informed Enrich frequent flyer members of a “data security incident” via a third-party IT service provider, insisting the breach avoided the national carrier’s core IT infrastructure and systems.
Just days later, Singapore Airlines warned its own frequent flyer members of a third-party breach affecting up to 580,000 people.
Singapore Airlines said in a statement published late on 4 March that it had been informed by air transport communications and information technology provider SITA of a data security breach involving its Passenger Service System (SITA PSS) servers.