SINGAPORE - Arising from the incident in which 1,560 SingPass accounts were compromised, the Ministry of Manpower (MOM) and the Infocomm Development Authority (IDA) have found that three of these SingPass accounts were used to make six fraudulent work pass applications.
MOM immediately cancelled the work passes upon discovery of the fraudulent applications.
In a joint statement released by IDA and MOM, the Government said it has implemented additional measures to strengthen and further safeguard work pass transactions.
IDA is currently enhancing the SingPass system, which will be ready by the third quarter of 2015, the Government statement added. There is a possibility that users will be able to set their own user names instead of using NRIC numbers in the future.
Further measures such as second-factor authentication (2FA) for e-government transactions, particularly for those involving sensitive data, will also be implemented.
SingPass users are encouraged to strengthen their passwords to ones that are alphanumeric with 8-24 characters, preferably with capital letters and symbols, to better protect their SingPass accounts.
"We thank the affected SingPass users for their assistance in helping us confirm that the applications were not made by them," a spokesperson said.
The matter has since been referred to the Police.
Here is a June 4 statement sent by IDA to inform the public of the breach:
On Monday, June 2, 2014, IDA was notified by the SingPass operator that a number of SingPass users had received a SingPass Password Reset Notification Letter even though they did not request for any password reset.
IDA's preliminary investigations revealed that 1,560 users' IDs and passwords had potentially been accessed without the users' permission.
An anomaly was detected between the number of mobile numbers used for Immediate Reset One-Time Passwords and the number of SingPass accounts that they were tied to.
Of these 1,560 users, 419 passwords were also reset triggering the SingPass Password Reset Notification Letters to be sent to the registered address of the actual account holder.
A police report was lodged on June 3, 2014 and the matter is currently under investigation.
Based on IDA's checks, there is no evidence to suggest that the SingPass system has been compromised.
The passwords of all affected users have been reset and we are in the process of notifying them of this incident.
"For every individual, this incident underlines the importance of taking personal responsibility for cyber security. The Government strongly urges all SingPass users to take the necessary precautions to enhance their cyber security. They should ensure that they use strong passwords to access not only SingPass but all the other e-Services they subscribe to. Strong passwords contain a combination of numerical figures, capital letters and are at least eight characters long. Users should also install anti-virus software and update all their software regularly," said Ms Jacqueline Poh, Managing Director of the Infocomm Development Authority of Singapore.
The Singapore Government takes cyber security very seriously. The protection of personal data and the delivery of secure e-Services are critical. We will continue to strengthen all Government e-Services as part of on-going efforts to enhance security. Users can visit the GoSafe Online website at www.gosafeonline.sg to learn more about how to protect themselves against cyber threats or seek assistance.
SingPass offers tips for better online security. Here are some do's and don'ts:
- Keep your SingPass confidential and do not disclose it to anyone.
- Change your SingPass on a regular basis, e.g. every 90 days.
- Log off your online session once you have completed your transactions.
- Clear your browser's cache or internet history after each session.
- Keep your computer and mobile devices updated with the latest anti-virus and firewall updates.
- Install mobile applications only from a trusted store. For Government mobile-services (m-services), check if the Mobile Application is published at mGov@SG website http://app.mgov.gov.sg/Default.aspx
- If you suspect your SingPass has been compromised, reset your SingPass immediately at the appointed counter locations island-wide.
- Do not store any Login ID or password information on your browser. You may refer to the user guide of your browser to disable this feature.
- Do not access online services with your SingPass by connecting to unknown Wi-Fi providers.
- Do not access online services with your SingPass at internet cafes or using mobile devices belonging to others.