A dossier containing personal data from 6.541 accountants in Singapore had been "involuntarily" sent to multiple organizations in a security incident that was revealed only months after the review. The incident provided personal information such as names, national IDs, date of birth and employment information.
The incident came under the auspices of the Singapore Accounting Committee (SAC), a Treasury Department body, which said Friday that 41 people in 22 organizations had received the file containing the personal data.
Details were sent in multiple emails between 12 June and 22 October this year to 22 organizations, which included 21 Accredited Training Organizations and a vendor. The email was sent to inform them of "administrative matters", SAC said.
The email was sent to new Accredited Training Organizations to inform them on various administrative issues such as logos to use. There are more than 300 such organizations on country.
Stakeholders were current and existing candidates for the Singapore Accountant Certification Program, as well as staff of agencies and other executives involved in managing the qualification system prior to the May 17 2019.
SAC said it disclosed the incident on 7 November following the implementation of a "new data protection filter" as part of the recommendations of the Public Data Security Audit Committee. Four days later, on November 11, the Commission contacted 22 organizations that received the file “to request deletion of the file data"And to confirm whether the file had been forwarded to other Contracting Parties.
To date, 22 companies have also stated that they have deleted the file, including any data transmitted. The SAC, however, did not disclose whether and how many other parties had received or had access to data.
He said that all affected people were informed, on 22 November, of "unintentional disclosure". She added that she had notified her Committee on the Protection of Personal Data on the incident.
“The SAC takes this incident seriously and deeply regrets this mistake. The SAC will set up a team to review the incident and make all necessary recommendations, ”he said, adding that this team will consist of members of the SAC board of directors as well as the Office of Intelligent Nations and Digital Government and the Department of Public Affairs. Service.
The Singapore government said in July that its services would launch several new "technical measures" for existing and new systems, such as automatic detection. e-mail containing sensitive data and stronger encrypt files. These were part of the "interim" recommendations that were considered necessary after the revision of the infrastructure and public sector policies in its field cyberspace, which occurred after a series of data breaches involving government entities.
A committee set up to evaluate how the government will secure citizens' data stressed the need to strengthen the regime security sector data amid growing threats. He added that government systems were increasingly complex and there was growing demand for the use of data to facilitate data sharing. digital services For the public.
However, the Singapore government has argued that the public sector should be excluded from the country's Data Protection Act because of "fundamental differences" in the way businesses operate. organizations This required a "different approach" to the protection of personal data compared to the private sector.