SingPass breach was 'not due to system flaw'

A system vulnerability was not to blame for the breach of 1,560 SingPass accounts discovered last month, Parliament was told yesterday.

Minister for Communications and Information Yaacob Ibrahim said experts had scanned different layers of protection at the network and found that hackers did not break into government systems to steal data. That means that no other accounts were compromised. "The perpetrator may have obtained the users' SingPass credentials through another means," said Dr Yaacob.

One such way suggested previously by the Infocomm Development Authority (IDA) was through "brute force" attacks - a common way of cracking passwords by systematically trying every possible combination of letters, numbers and symbols until it works.

Dr Yaacob noted that the use of simple passwords that are easy to crack is widespread.

He was responding to questions from Mr Zaqy Mohamad, a People's Action Party MP in Chua Chu Kang GRC, and Non-Constituency MP Yee Jenn Jong of the Workers' Party on the outcome of the investigation.

Police are still investigating how the majority of the accounts were breached.

Last Friday, the Ministry of Manpower and the IDA said that three tampered accounts were fraudulently used to make six work pass applications.

The work passes have since been cancelled, although it is not known who applied for them and when the applications were made. SingPass also secures residents' filing of income tax returns and access to Central Provident Fund accounts.

The security scare was discovered when SingPass operator CrimsonLogic, a local e-government solutions provider, received calls from 11 users to say that their SingPass passwords had been reset - even though they had not requested it.

Subsequent investigations revealed that, in total, 1,560 accounts were involved, and 419 users eventually had their passwords reset. In an effort to improve security, Dr Yaacob said the IDA is exploring mandating more frequent password changes for SingPass accounts through a new SingPass system to be launched by the third quarter of next year.

Users may be allowed to set their own usernames instead of using their NRIC numbers.

Government agencies will also require two-factor authentication (2FA) for e-transactions involving sensitive data.

This involves entering a one-time password, which is sent as a text message to a user's mobile phone, to access e-government services.

Asked why 2FA was not introduced earlier, Dr Yaacob said: "Bear in mind that there are three million users of SingPass accounts (with) varying capability and expertise (on) the use of the Internet... but we recognise that Singaporeans now are in favour of further authentication."

This article was first published on July 08, 2014.
Get a copy of The Straits Times or go to for more stories.