In a hastily-called press conference late Wednesday evening, the Infocomm Development Authority (IDA) said it was notified on June 2 by its contractor, locally-based CrimsonLogic, that a number of SingPass users had received a SingPass reset notification letter although they did not request for any password reset.
Get the full story from The Straits Times.
Here is the statement from IDA:
On Monday, June 2, 2014, IDA was notified by the SingPass operator that a number of SingPass users had received a SingPass Password Reset Notification Letter even though they did not request for any password reset.
IDA's preliminary investigations revealed that 1,560 users' IDs and passwords had potentially been accessed without the users' permission.
An anomaly was detected between the number of mobile numbers used for Immediate Reset One-Time Passwords and the number of SingPass accounts that they were tied to.
Of these 1,560 users, 419 passwords were also reset triggering the SingPass Password Reset Notification Letters to be sent to the registered address of the actual account holder.
A police report was lodged on June 3, 2014 and the matter is currently under investigation.
Based on IDA's checks, there is no evidence to suggest that the SingPass system has been compromised.
The passwords of all affected users have been reset and we are in the process of notifying them of this incident.
"For every individual, this incident underlines the importance of taking personal responsibility for cyber security. The Government strongly urges all SingPass users to take the necessary precautions to enhance their cyber security. They should ensure that they use strong passwords to access not only SingPass but all the other e-Services they subscribe to. Strong passwords contain a combination of numerical figures, capital letters and are at least eight characters long. Users should also install anti-virus software and update all their software regularly," said Ms Jacqueline Poh, Managing Director of the Infocomm Development Authority of Singapore.
The Singapore Government takes cyber security very seriously. The protection of personal data and the delivery of secure e-Services are critical. We will continue to strengthen all Government e-Services as part of on-going efforts to enhance security. Users can visit the GoSafe Online website at www.gosafeonline.sg to learn more about how to protect themselves against cyber threats or seek assistance.