Singapore has just seen its criminal justice system fall victim to a data breach, as the State Courts have disclosed that they have become aware of an incident affecting a large number of e-case files. According to the officials, their investigation concluded that a loophole in the electronic system allowed access to unauthorised users.
Loophole Allowed Unauthorised Access to Accused Person Portal
According to ZDNet, the issue was first identified on November 1, when authorities were first alerted to a vulnerability in the Integrated Criminal Case Filing and Management System (ICMS). First launched in 2013, the ICMS is used by a wide range of stakeholders in the context of criminal proceedings, including lawyers, the State Courts, the Attorney General, as well as the police and the Singapore Prison Service. In 2017, the ICMS expanded to include the Accused Person online portal. Accused persons can log into the portal by using their unique e-citizen account through SingPass – which is also used to access other online government services. SingPass is widely embraced as having a strong focus on security, as the service allows users to set up two-factor authentication. The Accused Person online portal can be used to review case details by the accused involved and upload relevant documents into their file that are required in the context of criminal proceedings.
Breach Affected Sensitive Personal Data
This means that the system contains sensitive personal data, most notably information on criminal records of those involved in a case. The breach highlights the need to improve data security when sensitive information is at risk, by correctly identifying and classifying personal data as sensitive, as well as by implementing technical safeguards. This includes measures such as data masking – a process through which intelligent masking algorithms replace real data with realistic yet fictional data. In the Accused Person portal case no such safeguards had been reportedly implemented, which resulted in users gaining unauthorised access to e-case files other than their own in at least 223 instances. Although the data accessed was not in any way tampered with, it seems that the loophole enabled access to information such as name, address, gender, and criminal charges in specific cases.
Authorities Work to Immediately Address System Vulnerability
The State Courts have notified the persons that were affected by the incident, but it remains unclear whether they have also alerted the country’s Cyber Security Agency – an obligation that stems from the Cybersecurity Act. The breach has also been reported to the police, while the cybersecurity was increased across the system to fix the flaw and ensure that the incident would not be repeated. Even though the volume of the incident was relatively small compared to other data breaches worldwide, like the 2017 Uber breach that saw 57 million user accounts compromised or the two Yahoo data breaches that were uncovered in 2016 and saw a combined 3.5 billion users impacted, the news is still alarming. Especially since they come on the heels of an incident last July that saw roughly 1.5 million patient files compromised after a hacker attack on the SingHealth healthcare database – including personal data on PM Lee Hsien Loong.
As the authorities are still working to mitigate the consequences, this latest breach raises concerns about Singapore’s readiness to adequately protect its online systems from malicious third parties.
Featured Image Credit: Charles Deluvio, Unsplash