There were 178 incidents of data breaches in the Singapore public sector in 2021, up 65 percent over the 108 cases reported in 2020 but unlike some incidents in previous years, none of the breaches was of a serious nature, according to government sources.
The information was shared in an update by the Smart Nation and Digital Government Office (SNDGO).
The update was the third by the government on personal data protection efforts since it accepted the recommendation made by the Public Sector Data Security Review Committee (PSDSRC) in November 2019 to enhance transparency on how the government uses and secures citizen data.
The SNDGO said the overall increase in data incidents reported in 2021 mirrors trends seen in the private sector and globally, as the exchange and use of data continues to grow.
The increase also reflects the improved awareness among public officers of the need to safeguard data, and to report every incident regardless of the severity, it added.
Out of the 178 government data incidents, 14 were detected as a result of public reports made to the Government Data Security Contact Centre (GDSCC).
The centre was set up in April 2020 for members of the public to report data incidents involving government data or government agencies and seeks to strengthen the government’s capabilities to detect data incidents.
As a part of its efforts to improve data security, the government in May this year launched the whole-of-government data loss protection (DLP) suite.
The suite is intended to prevent the accidental loss of sensitive data from government networks, systems and devices and uses technical and process controls to detect risky user activities.
When such activities are detected, the DLP tools prompt the user to take certain actions, such as confirming that the data was intended to be transferred, before proceeding to do so.
It would also stop anomalous data transfer altogether to prevent any loss of data, the SNDGO said.
As of March 31 this year, the DLP tools have been deployed to the whole-of-government email service and secure internet gateway.
The tools will be deployed to all government-issued laptops to public sector employees in August 2022.
Respond swiftly
SNDGO said the government recognises that it is not possible to eliminate data incidents entirely, but “we should have the expertise and ability to respond swiftly when they occur”.
It said that in order to ensure that the public service is equipped to respond to data incidents at the whole-of-government level, it conducted inaugural central ICT and data incident management exercises in September 2021.
The exercises involved 33 agencies across five ministries.
The exercise scenarios included prevalent threats such as supply chain attacks and ransomware incidents leading to disruption of services.
SNDGO said the exercises prepared government departments to provide a “coordinated response and tested the capabilities of agencies to respond effectively”.
It added that agencies that did not participate in the central exercises carried out their own exercises to test their officers’ readiness in effectively containing and managing the impact of data incidents.
It added that developing the public service’s capabilities and instincts in managing and securing data is an ongoing endeavour.
“Overall, the government’s initiatives have helped to improve the public sector’s data security posture… The government will continue to enhance our protection efforts to safeguard the data of both citizens and businesses,” the statement said.
