IBM Vendor Breach Exposes Data of 70,000 in Singapore

The personal data of about 70,000 people in Singapore has been exposed after unauthorised access to a cloud environment managed by IBM on behalf of the Singapore Land Authority (SLA). SLA said the breach stemmed from a dataset created in 1998 for vendor development and systems integration testing that was meant to contain only mock, anonymised records.

IBM manages the development and testing environment for SLA’s Singapore Titles Automated Registration System (STARS) and eLodgment System (ELS), platforms used by lawyers, government agencies and other authorised users to submit property transfer and caveat documents. SLA said the vendor informed it of a security incident on 12 June, with possible unauthorised access to personal information flagged on 15 June.

Testing dataset held real NRIC numbers and addresses

Preliminary investigations found the compromised dataset included real names, NRIC numbers and past property addresses, rather than the anonymised placeholder data it was intended to hold. SLA said the affected environment is separate from its live operational systems, and that property ownership and lodgment records in STARS and ELS remain secure. IBM has since revoked access to the affected environment.

Singapore’s third-party risk exposure

Commenting on the incident, Takanori Nishiyama, Senior Vice President APAC and Country Manager, Japan at Keeper Security, said Singapore has one of the highest rates of third-party breaches globally, and that the incident reflects a familiar pattern of vendor access extending far beyond what a task requires.

“The gap between intended data classification and actual data content is the kind of blind spot that persists for years inside vendor-managed environments, because nobody is continuously verifying what’s actually there or who can access it,” said Nishiyama.

SLA has lodged a police report, notified the Personal Data Protection Commission, and is working with IBM, the Government Technology Agency of Singapore and the Cyber Security Agency of Singapore to establish the full facts. Affected individuals are being notified directly, with the process expected to complete by the end of next week.

Widening reporting obligations

Nishiyama noted that as Singapore’s amended Cybersecurity Act extends reporting obligations to supplier-linked incidents, organisations need to treat third-party access governance as a continuous discipline rather than a contractual assumption, applying least-privilege and time-bound access controls to every vendor connection, including test environments.

Author


Discover more from techcoffeehouse.com

Subscribe to get the latest posts sent to your email.

Use promo code “TCH15” to get 15% off on checkout.

Share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from techcoffeehouse.com

Subscribe now to keep reading and get access to the full archive.

Continue reading

Discover more from techcoffeehouse.com

Subscribe now to keep reading and get access to the full archive.

Continue reading