Breach of IBM-managed environment exposes personal data of 70,000 in Singapore


The Singapore Land Authority (SLA) has revealed that the personal information of about 70,000 individuals was exposed following unauthorised access to a cloud environment managed by IBM, its technology supplier.

IBM was appointed to support and maintain SLA’s Singapore Titles Automated Registration System (Stars) and eLodgment System (ELS), which underpin property title registration and the lodgement of property documents in the city-state. As part of that work, the supplier managed the development and systems integration testing environment for the two systems.

In a statement on 3 July 2026, SLA said it had been informed by IBM of the incident, with preliminary investigations indicating that a dataset created solely for development and testing purposes had been accessed without authorisation.

The dataset, created in 1998 and updated periodically over the years, was meant to contain only mock and anonymised testing data based on property ownership and lodgement records. However, SLA said it has since uncovered that the dataset also contained the names, NRIC (National Registration Identity Card) numbers and property addresses of the affected individuals at the time.

“This information should have been anonymised but was not,” the agency said, adding that investigations are ongoing to determine how this occurred.

SLA noted that the affected environment is “distinct and separate” from its operational systems, with no connection to, or compromise of, the live systems that run Stars, ELS or any other SLA systems. Property ownership and lodgement records remain secure and unaffected, it added.

IBM has revoked access associated with the affected environment to prevent further unauthorised access, while SLA has identified the individuals whose information was contained in the dataset and has begun notifying them and advising them on how to seek further information and assistance.

The agency is working with IBM, the Government Technology Agency and the Cyber Security Agency of Singapore (CSA) to establish the full facts and ensure remedial measures are taken. It has also lodged a police report and notified the Personal Data Protection Commission, and urged the public to remain vigilant against phishing emails, websites, text messages and phone calls from parties claiming to represent government agencies or other organisations.

“We apologise for the concern and inconvenience this incident may cause,” SLA said.

The incident underscores the long-standing risk of real personal data finding its way into development and test environments, which are typically less closely guarded than production systems – a risk that is compounded when those environments are operated by third parties.

It is also the latest in a series of supply chain security incidents in Singapore in recent years. In April 2025, Toppan Next Tech, a printing vendor for DBS Bank and the Singapore branch of Bank of China, was hit by a ransomware attack that saw customer data stolen by the threat actor. Some 8,200 DBS customers – mostly holders of DBS Vickers trading accounts and Cashline loans – and around 3,000 Bank of China customers were potentially affected.

A year earlier, in August 2024, a hacker who gained unauthorised access to Mobile Guardian, a mobile device management platform then deployed across Singapore’s schools, remotely wiped the iPads and Chromebooks of about 13,000 students from 26 secondary schools. The Ministry of Education subsequently removed the software from all student devices and terminated its contract with the supplier.

Singapore’s exposure to third-party risk is well documented. An analysis of breaches released last year by security ratings firm SecurityScorecard found that the city-state had the highest rate of third-party breaches globally, at 71.4% of incidents recorded there.

Concerns over supply chain threats were among the drivers of amendments to Singapore’s Cybersecurity Act passed in May 2024, which expanded incident reporting obligations for critical information infrastructure owners to cover incidents affecting supplier systems connected to their infrastructure. Key provisions of the amended Act came into force on 31 October 2025.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *