Singapore hit by 41 cases of personal data loss in past three years

There were 30 cases that involved missing laptops, whilst 11 cases affected specific individuals.

The government reported 41 cases involving the loss of personal data to the police in the last three years, according to deputy prime minister Teo Chee Hean.

In a written response to a query by associate professor Walter Theseira on the number government personal data information security incidents reported to the police or the Personal Data Protection Commission (PDPC), Teo revealed that 30 of the cases involved missing laptops although no specific individual’s data was compromised.

Government laptops were said to be protected by encryption and lost laptops were immediately blocked from the Government network once reported.

In a total of seven incidents, the affected individuals were notified of the breach, whilst four cases were reported to both the individuals affected and the general public.

“Amongst these 11 cases, it took an average of three weeks from the police report to notify the individual,” he noted. “This was the time taken to identify the exact individuals affected, and assess the extent of loss, to give an accurate report of the situation to the affected individuals and recover or safeguard evidence for potential future prosecution.”

He further highlighted that these incidents are not reported to the PDPC, as it is not their function to investigate government-related incidents. Loss of personal data by government agencies is reported to the policy when there is suspected foul play, or when a physical asset such as a laptop is missing.

According to his written response, Teo noted that the reports were made in a timely manner, with 80% submitted on the same day as the discovery of the incident.

“From time to time, there are also incidents of data mishandling that are reported internally but not to the policy,” he admitted, explaining how such incidents typically involve the mailing of letters containing personal information to the wrong recipient or mass emails in which offers mistakenly include all recipients’ email addresses.

In these cases, police assistance or intervention is not required. The affected agencies will inform and apologise to affected individuals, and follow up with the necessary staff education and discipline to avoid a future occurrence.