IDA reports breach of SingPass accounts

[SINGAPORE] Some 1,560 SingPass accounts had potentially been accessed without the users' authorisation before June 2, and of these affected accounts, 419 have had their passwords reset, said the Infocomm Development Authority of Singapore (IDA) yesterday, in what is believed to be the largest such breach in Singapore to-date.

There is no evidence however - based on IDA's checks - to suggest that the SingPass system has been compromised, said Jacqueline Poh, managing director of the IDA, at yesterday's media briefing.

No compromise or loss of data linked to other government e-services have been reported by the affected users as at Wednesday, The Business Times understands.

The IDA first learnt of the breach on Monday, when SingPass operator CrimsonLogic reported that 11 SingPass users had received a SingPass Password Reset Notification Letter even though they had not requested for a password reset.

These 11 users were among the 419 users whose account passwords had been reset without their knowledge.

The IDA added that it had detected in its system an anomaly between the number of mobile numbers used for the "Immediate Reset" service and the number of SingPass accounts they were tied to.

A police report was then lodged on Tuesday, and the matter is now under investigation, the IDA said.

As at yesterday, all 1,560 affected SingPass users have had their passwords reset and their "Immediate Reset" functions deactivated. They will also be receiving letters by post from the IDA notifying them of this incident.

The "Immediate Reset" function, introduced as an opt-in service in November 2007, allows a SingPass user who has forgotten his SingPass password to request for an online reset of his password immediately.

To use this service, the user will need to pre-register his mobile phone number and answer two security questions.

In the event he forgets his password and chooses to use the "Immediate Reset" function, he will first need to provide answers to the two security questions. If the answers match, a one-time password will be sent to his mobile phone before he is prompted to enter a new password.

All of this suggests that the culprits behind this breach must have got hold of the users' NRIC numbers and passwords.

"The government strongly urges all SingPass users to ensure they use strong passwords to access not only SingPass but all the other e-services they subscribe to," said Ms Poh.

Strong passwords should contain a combination of numerical figures and capital letters and are at least eight characters long, she added.

Currently, SingPass uses a single-factor authentification system such that users only need to remember one password to access the system. More than 64 government agencies, among them the Central Provident Fund Board and the Inland Revenue Authority of Singapore, use SingPass to provide e-services to some 3.3 million users.

"We will continue to explore the use of two-factor authentication for e-government transactions, particularly for those involving sensitive data. In the meantime, we have put in place multiple levels of security such as Captcha (a code one can get from reading the characters within a small image box displayed on the screen) and sending letters to your residential addresses when SingPass passwords have been changed," said Ms Poh.

Last December, Standard Chartered Bank reported that bank statements belonging to some 647 of its private banking clients had been stolen from one of the servers at Fuji Xerox Singapore, which provides printing services to the bank.

The stolen data was discovered by the police on a computer belonging to alleged hacker James Raj Arokiasamy.