A cybersecurity incident involving the Singapore Land Authority (SLA) and its vendor IBM has exposed the personal data of approximately 70,000 people, reigniting scrutiny over how sensitive information sitting in third-party development and testing environments can go undetected for years.

The exposed dataset, created as far back as 1998, includes names, NRIC numbers and past property addresses that should have been anonymised but were not, according to reports of the breach.

Vendor risk is enterprise risk, says Arctic Wolf

Arctic Wolf Senior Vice President and Chief Information Security Officer Adam Marre said the incident reflects a common misreading of how vendor risk actually works.

“There is a common assumption among organisations that once a vendor contract is signed, security becomes the vendor’s responsibility. But that is a fundamental misreading of how risk actually works. The data does not stop being yours simply because a third party is managing it, and the consequences of a breach land with you regardless of where in the ecosystem it originated.”

Marre said the SLA case points to a broader strategic gap: as vendors become more deeply embedded in critical systems and data flows, security assumptions have not kept pace. Development and testing environments, he noted, are typically treated as lower-risk — precisely the kind of blind spot that can go unexamined for decades.

Closing the visibility gap

Arctic Wolf recommends a more continuous and structured approach to third-party risk management, rather than a one-time contractual checkbox.

“Closing that gap requires organisations to take a more continuous and structured approach to third-party risk. Security requirements should be explicitly defined in contracts and reviewed regularly, not treated as a one-time checkbox at the point of signing. Vendors should only have access to what they genuinely need, with external connections segmented to contain the impact if something does go wrong. And organisations need to maintain ongoing visibility into where their data sits and who can reach it at any given point.”

The recommendations centre on three principles: explicit, regularly reviewed contractual security requirements; least-privilege access with segmented external connections; and continuous visibility into data location and access across the vendor ecosystem.

Author


Discover more from techcoffeehouse.com

Subscribe to get the latest posts sent to your email.

Use promo code “TCH15” to get 15% off on checkout.

Share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from techcoffeehouse.com

Subscribe now to keep reading and get access to the full archive.

Continue reading

Discover more from techcoffeehouse.com

Subscribe now to keep reading and get access to the full archive.

Continue reading