Despite a security breach involving 1,560 accounts, the Singapore government insists the country's e-government login system is not vulnerable and instead suggests users need to do more to protect their own accounts.
Minister for Communication and Information Yaacob Ibrahim said in a parliament session Monday that there was no vulnerability in the SingPass system, noting that the breach reported last month could have been the result of weak user passwords or malware. There are more than 3.3 million SingPass accounts, which citizens use to access over 340 e-government services including filing income taxes, checking balances in the national retirement fund, and registering new businesses.
The security breach affected 1,560 SingPass users who had received notifications that their passwords had been reset, despite not requesting to do so. As a result, their accounts might have been accessed without their permission, according to a statement released last month by ICT regulator, Infocomm Development Authority of Singapore (IDA).
Although there were no reports of illegal access then, three of the 1,560 SingPass accounts were later found to have been used to apply for work passes. Discovered last week, these fraudulent applications were immediately canceled.
Maintaining that the system remained secured, Yaacob said in parliament the breach could had been the result of weak passwords or malware that had been installed in the affected users' personal computers, allowing hackers to capture user IDs and passwords through keystroke logging tools.
He added that the incident underscored the importance of "taking personal responsibility for cybersecurity". All SingPass users should take the necessary precautions to enhance their cybersecurity, specifically, using strong passwords to access their accounts as well as other e-services. Users should also update their antivirus software to protect their personal data, Yaacob said.
He said his ministry will work with the Finance Ministry and IDA to boost security involving e-government services, including the introduction of two-factor authentication (2FA) for services that require transactions or deal with sensitive data. He revealed that a tender had been awarded in April to begin work on a new SingPass system that would allow users to define their own usernames. Currently, a citizen's national identification number is used as the default username.
The use of 2FA will be determined by individual government agencies, which will each implement the security measure at different timelines later this year, Yaacob said.
There had been previous breaches involving SingPass, where an affected user in 2012 said his account was hacked and used in visa applications. With the Singapore government aiming to transform the country into a "smart nation", which includes initiatives to capture and analyze massive amount of data through sensors, it will need to ensure its systems and citizens' data are adequately secured.