Around 70,000 people’s personal details exposed in SLA data breach involving IBM-managed cloud environment
About 70,000 people may have had their personal information exposed after unauthorised access was detected in a cloud environment managed by IBM for the Singapore Land Authority (SLA).
SLA disclosed the incident on 3 July, saying IBM had alerted the authority to the breach.
IBM had been appointed to support and maintain two of SLA’s systems, the Singapore Titles Automated Registration System (STARS) and eLodgment System (ELS).
As part of that role, IBM managed a separate cloud environment used to develop and test these systems before any changes were made to the live versions.
Personal data should have been anonymised
Preliminary investigations found that the unauthorised access involved a data set created only for vendor development and testing.
The data set was first created in 1998 and updated from time to time over the years.

Source: Wikimedia Commons, for illustration purposes only
It was supposed to contain only mock and anonymised testing data based on property ownership and lodgement records.
However, SLA later found that the data set also contained the names, NRIC numbers, and property addresses at the time of about 70,000 individuals.
According to SLA, this information should have been anonymised.
Investigations are ongoing to find out how the personal data ended up in the testing environment.
Live SLA systems not affected
SLA stressed that the affected cloud environment was used for development and testing, and is separate from its live operational systems.
It added that there has been no compromise of the live STARS and ELS systems, or any other SLA systems.

Source: Singapore Good Design Awards, for illustration purposes only
This means the property ownership and lodgement records used in SLA’s day-to-day operations remain secure and were not affected by the incident.
IBM has since removed access linked to the affected development and testing environment to prevent further unauthorised access.
Affected individuals being notified
As a precaution, SLA has identified the people whose information was found in the affected data set and has started notifying them.
Those affected are also being advised on where they can seek more information and assistance.
SLA said it is working with IBM, the Government Technology Agency of Singapore (GovTech), and the Cyber Security Agency of Singapore (CSA) to investigate the incident, establish the full facts, and ensure that remedial measures are taken.
The authority has also lodged a police report and notified the Personal Data Protection Commission (PDPC).
As investigations are still ongoing, members of the public are advised to stay alert to phishing emails, fake websites, text messages, or phone calls from parties claiming to represent government agencies or other organisations.
SLA also apologised for the concern and inconvenience caused by the incident.
Also Read: Several M’sian government websites hacked, believed linked to website software flaw
Several M’sian government websites hacked, believed linked to website software flaw
Have news you must share? Get in touch with us via email at hello@mustsharenews.com
Featured image adapted from Singapore Good Design Awards, for illustration purposes only.





