A folder containing personal data of 6,541 accountants in Singapore was “inadvertently” sent to multiple parties, in a security lapse that was uncovered only months after when a review was conducted. The incident exposed personal details such as names, national identification number, date of birth, and employment information.
The incident occurred under the watch of the Singapore Accountancy Commission (SAC), a statutory body under the Ministry of Finance, which said in a statement Friday that 41 individuals in 22 organisations had received the folder containing the personal data.
The details were sent out in multiple email messages between June 12 and October 22 this year to the 22 organisations, which comprised 21 Accredited Training Organisations (ATO) and one vendor. The email was sent to inform them of “administrative matters”, the SAC said.
ZDNet understands that the email was sent to new ATOs to notify them of various administrative issues such as logos to use. There are more than 300 of such organisations in the country.
The affected individuals were past and current candidates of the Singapore Chartered Accountant Qualification programme as well as ATO personnel and other executives involved in the administration of the qualification scheme before May 17, 2019.
SAC said it uncovered the lapse on November 7 after it implemented a “new data protection filter” as part of the recommendations by the Public Sector Data Security Review Committee. Four days later, on November 11, the commission contacted the 22 organisations that received the folder “to request that they delete the data folder” as well as ascertain whether the folder had been forwarded to other parties.
To date, all 22 companies said they had deleted the folder, including any forwarded data. The SAC, however, did not disclose if, and how many, other parties had received or accessed the data.
It said all affected individuals were informed, on November 22, about the “unintentional disclosure”. It added that it had notified the Personal Data Protection Commission about the lapse.
“The SAC takes a serious view of this Incident and deeply regrets this mistake. The SAC will set up a panel to review the incident and make any necessary recommendations,” the SAC said, adding that this panel would be comprised members from the SAC board as well as the Smart Nation and Digital Government Office and the Public Service Division.
ZDNet has sent the SAC followup questions regarding the security lapse, including whether efforts were made to ascertain if the personal had been listed on the dark web and whether other lapses were uncovered during the review. This article will be updated when the commission responds.
The Singapore government in July said its agencies would roll out several new “technical measures” for existing and new systems, including automated detection of email containing sensitive data and stronger encryption for files. These were part of “interim” recommendations deemed necessary following a review of the public sector’s cybersecurity infrastructure and policies, which itself was carried out after a series of data breaches involving government entities.
A committee set up to evaluate how the government secured and protected citizens’ data stressed the need to boost the sector’s data security regime amidst rising threats. It added that government systems were increasingly complex and there was growing demand for the use of data to facilitate digital services for the public.
The Singapore government, though, remained firm on its view that the public sector must be excluded from the country’s Personal Data Protection Act because of “fundamental differences” in how these organisations operated, which required “a different approach” to personal data protection compared to the private sector.