A folder containing personal data of 6,541 accountants in Singapore was "inadvertently" sent to multiple parties, in a security lapse that was uncovered only months after, when it implemented an email protection tool as part of a government-wide deployment. The incident exposed personal details such as names, national identification number, date of birth, and employment information.
The incident occurred under the watch of the Singapore Accountancy Commission (SAC), a statutory body under the Ministry of Finance, which said in a statement Friday that 41 individuals in 22 organisations had received the folder containing the personal data. The affected individuals were past and current candidates of the Singapore Chartered Accountant Qualification programme as well as ATO personnel and other executives involved in the administration of the qualification scheme before May 17, 2019.
Their details were sent out in multiple email messages between June 12 and October 22 this year to the 22 organisations, which comprised 21 Accredited Training Organisations (ATO) and one vendor. These were sent to inform them of "administrative matters", said the SAC, which declined to reveal the names of the 22 organisations when asked.
ZDNet understands that the email messages, similar in content, were sent to new ATOs to notify them of various administrative issues such as the use of logos. There are more than 300 of such organisations in the country.
SAC said it uncovered the lapse on November 7 because it had implemented a "new data protection filter" in its email system on October 23, as part of the recommendations by the Public Sector Data Security Review Committee. The tool, which was part of the government's email protection software was introduced across all public sector agencies. It had triggered a notification when an SAC employee tried to send the email, stating that it could not be sent as it contained sensitive information.
This led to the revelation that the other email messages, sent out between June 12 and October 22, should not have contained the data folder.
Four days later, on November 11, the commission contacted the 22 organisations that received the folder "to request that they delete the data folder" as well as ascertain whether the folder had been forwarded to other parties. To date, all 22 companies said they had deleted the folder, including any forwarded data. The SAC, however, did not disclose if, and how many, other parties had received or accessed the data.
Asked what efforts the commission was making to ascertain if the personal data had been published online or sold on the dark web, SAC's chief executive Evan Law noted that the 22 organisations had provided "written declarations" that all unintended recipients of the data folder had deleted the email and data.
He told ZDNet in an email: "All primary and secondary recipients have provided an official statement to SAC via email stating that they have deleted folder and not forwarded the folder further."
Law did not comment directly on whether the commission was investigating to ensure that the data had not been published online.
Asked about further remediation since the incident had been highlighted as a security risk, he replied: "Sending out this administrative email is not a security risk as it was by mistake that a staff attached the data file."
ZDNet also asked if the Cyber Security Agency was notified about the incident, to which Law said: "There is no need for SAC to notify CSA of the data incident as it is not cyber-related."
According to the SAC, all affected individuals were informed, on November 22, about the "unintentional disclosure". It added that it had notified the Personal Data Protection Commission about the lapse.
"The SAC takes a serious view of this Incident and deeply regrets this mistake. The SAC will set up a panel to review the incident and make any necessary recommendations," the SAC said, adding that this panel would be comprised members from the SAC board as well as the Smart Nation and Digital Government Office and the Public Service Division.
The Singapore government in July said its agencies would roll out several new "technical measures" for existing and new systems, including automated detection of email containing sensitive data and stronger encryption for files. These were part of "interim" recommendations deemed necessary following a review of the public sector's cybersecurity infrastructure and policies, which itself was carried out after a series of data breaches involving government entities.
A committee set up to evaluate how the government secured and protected citizens' data stressed the need to boost the sector's data security regime amidst rising threats. It added that government systems were increasingly complex and there was growing demand for the use of data to facilitate digital services for the public.
The Singapore government, though, remained firm on its view that the public sector must be excluded from the country's Personal Data Protection Act because of "fundamental differences" in how these organisations operated, which required "a different approach" to personal data protection compared to the private sector.