Airlines and Relevant Authorities Safeguard Passenger information

14 Mr Saktiandi Supaat asked the Minister for Transport in light of the recent British Airways data breach (a) whether local airlines are knowledgeable about such data breaches; (b) whether there have been any hacking attempts in the past three years; (c) how are local airlines working with other international airlines and relevant authorities to safeguard the information of local and international passengers; and (d) whether existing air passenger protection legislation can be beefed up to protect passengers' rights in the event of a cybersecurity breach.

The Senior Minister of State for Transport (Dr Janil Puthucheary) (for the Minister for Transport): Mr Speaker, the recent British Airways (BA) data breach and the SingHealth cyberattack are sharp reminders that with the greater adoption of digitalisation, all industries face cybersecurity threats. Our operating assumption is that our airlines will be targets, and they must do their best to protect themselves against such threats, and have a robust plan to prevent, detect, and recover should an attack succeed. They must also exercise their plan regularly so that all staff are fully aware of such a threat and take it seriously.

The Civil Aviation Authority of Singapore (CAAS), as the cybersecurity lead for the aviation sector, works closely with Singapore carriers to strengthen their cybersecurity capabilities. CAAS also regularly shares cybersecurity-related information, including from the Cyber Security Agency (CSA), and best practices with them, and conducts joint cybersecurity exercises.

The Singapore carriers' approach includes safeguarding their systems to prevent, detect, and respond to hacking attempts and mitigate the potential impact. They monitor cyber threats through their Security Operations Centres, and carry out regular testing of their websites for vulnerabilities and screening for malicious web traffic. They also closely monitor reports of breaches, and collaborate with others on cybersecurity. They are part of the Aviation Information Sharing and Analysis Center (ISAC), a non-profit organisation that fosters the sharing of information on physical and cyber threats to aviation and best practices on mitigation, and they also participate in the Cybersecurity Workgroup under the International Air Transport Association (IATA).

With respect to the security of passenger data, Singapore carriers are also required to comply with the Personal Data Protection Act and the data protection regulations of other states which they fly to.

As regards the BA data breach, the investigation is still on-going. As a precaution, SIA has performed checks and confirmed that there are no unauthorised codes on its payment webpage. SIA is mindful that sophisticated attackers will continue to probe for vulnerabilities, and will remain vigilant and conduct regular checks and penetration tests on all scripts on its website. It will also continue to observe stringent data security standards for credit card payment processing.

Mr Speaker: Mr Saktiandi.

Mr Saktiandi Supaat (Bishan-Toa Payoh): Mr Speaker, Sir, I would like to thank the Senior Minister of State for answering my question. I got a quick follow-up supplementary question to his answer. Essentially, my question (d). Are there any plans to beef up even further legislation to protect passenger in the case of a cybersecurity breach, if it does happen? We do not want it to happen, but in case it happens, are there any plans for further legislation for the air passengers' protection?

Dr Janil Puthucheary: Mr Speaker, we have enacted the Cybersecurity Act this year and aviation is one of the critical information infrastructure domains that will be affected by the operations of the cybersecurity agency commissioner. The cybersecurity commissioner appoints an assistant commissioner who can then look at this sector.

The implications of the Cybersecurity Act on the critical information infrastructure within the aviation industry will have an impact and will improve passenger safety as well as the safety of the operations of the industry.