Hacktivist group Anonymous has threatened to make public the personal data of employees linked to the Singapore government, in response to recent arrests of individuals linked to the group which it has deemed unfair.
The personal information of 10 people was part of a statement shared with ZDNet, which it plans to make public over the next day. This included their names, government e-mail addresses, birthdates, nationalities, passport numbers and mobile phone numbers.
"Ball is in your court, start showing a sense of justice and fairness, or you will find yourself facing the final boss of the internet, you are an island, we are a legion that spans the entire globe."
Anonymous described the list as "the tail end of a file containing the personal information of thousands of people associated with a certain Singaporean security corporation that does much business with the government".
It pointed out this list contained specifically just a handful of the records relating to government employees. Based on the e-mail addresses, the people on the list are from a range of agencies such as the Singapore Prison Service, Immigration and Checkpoints Authority (ICA), national water agency PUB, Ministry of Manpower (MOM), National Library Board (NLB), Singapore Police Force (SPF), National Environment Agency (NEA), Central Narcotics Bureau (CNB), and Accounting and Corporate Regulatory Authority (ACRA).
"Ball is in your court, start showing a sense of justice and fairness, or you will find yourself facing the final boss of the internet, you are an island, we are a legion that spans the entire globe," Anonymous said in the statement.
However, checks by ZDNet found the currency and accuracy of the list were inconsistent and some data outdated. While some sets of information were correct, it also contained a few phone numbers that were no longer in use, at least one set of passport numbers did not match up with birthday information, and some e-mail addresses were not current.
Taking issue with recent arrests
Anonymous took issue with two arrest cases last November. One involved James Raj Arokiasamy, alleged to be the hacker under the moniker "Messiah", linked to the defacement of at least one government Web site. The group took issue with what it deemed to be a "heavy handed approach" by Singapore authorities in their treatment of James, who allegedly had his access to legal counsel impeded while undergoing tests at the Institute of Mental Health for his psychiatric condition.
The other case involved Melvin Teo and Delson Moo, arrested for modifying the contents of a government server via a cross-site scripting exploit. Anonymous described the second case as "stretches credulity to breaking point" with the actual charges "nonsensical".
Investigations into possible breach underway
In response to the cyberthreat, Infocomm Development Authority of Singapore (IDA) told ZDNet it was looking into any possible compromise of employee records and has alerted the police.
"The Singapore Government takes cybersecurity seriously. We do not condone actions designed to intimidate the government," said the IDA spokesperson. The infocomms regulator added all agencies currently have to comply with government IT security policies and best practices such as conducting regular security tests, scans for vulnerabilities as well as conducting security reviews and audits.
Security policies include the requirement to protect all their data against unauthorized access, disclosure or modification, whether accidental or intentional. "Where third party vendors are involved, service level agreements are in place to ensure that they maintain the required level of security," IDA added.
Last month, the hacktivist group issued a statement on Pastebin calling for a Tweet Storm on government Twitter accounts in a move to protest against other arrests and a recently introduced licensing scheme for local news sites.
However, plans to apparently get a flood of Tweets to overwhelm those accounts did not appear to materialize. IDA had also played down the threat then, saying the "tweetstorm will not affect Government network infrastructure".
Updated 12.36am February 8, 2014 with IDA response
Update 9am February 8, 2014: The statement by Anonymous has been made public over a pastebin, but we are not linking to it due to the sensitivity of some information.