Breaches of Singpass in Last Five Years and Steps to Enhance Its Security

49 Mr Liang Eng Hwa asked the Minister for Communications and Information (a) whether there have been any security breaches of Singpass in the last five years; and (b) how can the security of Singpass be continually strengthened to remain trusted yet easily accessible.

Mrs Josephine Teo: There were no cybersecurity breaches of the Singapore Personal Access (Singpass) system detected in the last five years. The Government Technology Agency (GovTech) continually strengthens the Singpass system against potential breaches. In addition to cybersecurity testing conducted by the Government, crowdsourced vulnerability discovery programmes are applied to Singpass. These include the Vulnerability Reward Programme, Vulnerability Disclosure Programme and the Government Bug Bounty Programme, which run at different time periods and draw on different pools of cybersecurity experts.

Beyond technical cybersecurity breaches, the human user is often the weakest link. That is why we are taking measures to make it harder for scammers to use phishing and other social engineering methods to gain control of a user's Singpass account. For example, for transactions identified to be of higher risk, we require more than the standard two-factor authentication of a password and one-time password. The account is protected by additional factors, such as facial verification.

Secure online transactions and a safe cyberspace need everyone to play their part. We are constantly improving and testing Singpass' defences to guard against cybersecurity and scam threats. We call upon banks and telcos to enhance their defences and strengthen the cybersecurity ecosystem. Users need to arm themselves with knowledge of scam tactics, social engineering and phishing to avoid being scammed. A vigilant and discerning public is our best defence against scams.