More than 1,500 SingPass accounts accessed 'illegitimately': IDA

More than 1,500 SingPass accounts accessed 'illegitimately': IDA

In a hastily-called press conference late Wednesday evening, the Infocomm Development Authority (IDA) said it was notified on June 2 by its contractor, locally-based CrimsonLogic, that a number of SingPass users had received a SingPass reset notification letter although they did not request for any password reset.


Get the full story from The Straits Times.

Here is the statement from IDA:

On Monday, June 2, 2014, IDA was notified by the SingPass operator that a number of SingPass users had received a SingPass Password Reset Notification Letter even though they did not request for any password reset.

IDA's preliminary investigations revealed that 1,560 users' IDs and passwords had potentially been accessed without the users' permission.

An anomaly was detected between the number of mobile numbers used for Immediate Reset One-Time Passwords and the number of SingPass accounts that they were tied to.

Of these 1,560 users, 419 passwords were also reset triggering the SingPass Password Reset Notification Letters to be sent to the registered address of the actual account holder.

A police report was lodged on June 3, 2014 and the matter is currently under investigation.

Based on IDA's checks, there is no evidence to suggest that the SingPass system has been compromised.

The passwords of all affected users have been reset and we are in the process of notifying them of this incident.

"For every individual, this incident underlines the importance of taking personal responsibility for cyber security. The Government strongly urges all SingPass users to take the necessary precautions to enhance their cyber security. They should ensure that they use strong passwords to access not only SingPass but all the other e-Services they subscribe to. Strong passwords contain a combination of numerical figures, capital letters and are at least eight characters long. Users should also install anti-virus software and update all their software regularly," said Ms Jacqueline Poh, Managing Director of the Infocomm Development Authority of Singapore.

The Singapore Government takes cyber security very seriously. The protection of personal data and the delivery of secure e-Services are critical. We will continue to strengthen all Government e-Services as part of on-going efforts to enhance security. Users can visit the GoSafe Online website at www.gosafeonline.sg to learn more about how to protect themselves against cyber threats or seek assistance.

SingPass offers tips for better online security. Here are some do's and don'ts:

DO's

- Keep your SingPass confidential and do not disclose it to anyone.

- Change your SingPass on a regular basis, e.g. every 90 days.

- Log off your online session once you have completed your transactions.

- Clear your browser's cache or internet history after each session.

- Keep your computer and mobile devices updated with the latest anti-virus and firewall updates.

- Install mobile applications only from a trusted store. For Government mobile-services (m-services), check if the Mobile Application is published at mGov@SG website https://app.mgov.gov.sg/Default.aspx

- If you suspect your SingPass has been compromised, reset your SingPass immediately at the appointed counter locations island-wide.

DON'Ts

- Do not store any Login ID or password information on your browser. You may refer to the user guide of your browser to disable this feature.

- Do not access online services with your SingPass by connecting to unknown Wi-Fi providers.

- Do not access online services with your SingPass at internet cafes or using mobile devices belonging to others.

Source: www.singpass.gov.sg

This website is best viewed using the latest versions of web browsers.