By Darren Trisno
Recently, there has been a shocking increase in reported hacking in Singapore. For instance, between May and July 2022, the luxury hotel chain “Shangri-La Group” has experienced a data breach affecting their guests in Singapore, Hong Kong, Chiang Mai, Taipei, and Tokyo [1]. It was found that certain data files were stolen from the group’s guest databases by an unknown, “sophisticated” attacker who managed to bypass IT security monitoring systems. While the hotel could not confirm the content of the files, it is likely that these files contained the guests’ data, such as guest names, email addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names [2]. The hotel chain is confident that the personal data was not released or misused by them or known third parties. Regardless, the Cyber Security Agency of Singapore has advised organizations to proactively monitor and check their IT networks regularly for signs of suspicious activity [3].
In another similar incident, the personal information of 330,000 Starbucks customers in Singapore has been breached and put up for sale on an online forum since September 10 2022, according to The Straits Times [4]. The breach of information mainly concerned customers who owned Starbucks’ accounts and made transactions via the Starbucks' app or online store [5]. The coffee chain said in an email to customers that their credit card data has not been compromised as Starbucks does not store such data [6]. The company also said it had immediately taken steps to protect customer information and cooperated fully with the authorities [7]. Since then, one copy of the database has been sold, with the price listed at $3,500 [8].
According to a study by the cyber-security firm “Group-IB”, Singapore ranked number six in the world for the most databases exposed to the Web last year, which could have been easily breached and exploited by hackers [9]. The United States took the top spot with close to 93,700 exposed databases found, followed by China with nearly 54,800 [10]. The number of susceptible databases in Singapore grew steadily throughout the year with increased digitalisation during the pandemic, which suggests that while many organisations went digital during Covid-19, database security may not have kept up.
Singapore is taking steps to strengthen its defences against cyber threats with a range of measures, including the establishment of a new cyber command and the creation of a new cyber defence vocation to ensure sufficient manpower and expertise in the field. For instance, The Defense Cyber Organization (DCO), established in 2017, is responsible for defending the country’s military networks and systems against cyber threats. The Cyber Security Agency of Singapore (CSA), established in 2015, is responsible for protecting the country’s critical cyber infrastructure and promoting cybersecurity awareness among the public. These organizations work closely with the private sector and other countries to share information and best practices for cybersecurity.
Singapore is also considering legal measures to combat cybercrime, including amendments to its cybercrime laws such as the Computer Misuse and Cybersecurity Act (CMCA). These changes would criminalize trading in personal information, buying and selling of hacking tools, and offences committed abroad deemed to cause “serious harm” to Singapore. While these changes could have meaningful impacts in the fight against cybercrime, there are also concerns about their drawbacks [11].
The proposed amendments to the CMCA would expand the government’s ability to crack down on cybercrime in several ways. One significant change is the criminalization of the buying and selling of hacking tools such as malware and port scanners. This would make it easier for law enforcement to track down and prosecute those who create and distribute malicious software that can be used to breach security systems [12]. In addition, the proposed amendments would criminalize dealing and trading in personal information, including credit card fraud. This is a major step forward for Singapore, as the trade in stolen personal data is a lucrative business for cybercriminals [13].
Another key change is the expansion of the law’s jurisdiction to include offences committed abroad that are deemed to cause “serious harm” to Singapore. This means that even if a cybercrime is committed outside of Singapore if it has a significant impact on the city-state, the offender could still be prosecuted under Singaporean law. This provision could help deter cybercriminals who reside in foreign territories from targeting Singapore, as they could face legal consequences even if they are based overseas.
However, these changes could also have drawbacks. One concern is that the criminalization of buying and selling hacking tools could inadvertently harm legitimate security researchers and penetration testers who use such tools in their work. These researchers often need to use hacking tools to identify vulnerabilities in software and hardware so that they can be patched before they can be exploited by cybercriminals. If these tools are wholly criminalized, it could make it more difficult for researchers to identify vulnerabilities, potentially leaving systems more vulnerable to attack.
Another concern is that the expansion of the law’s jurisdiction could lead to conflicts with other countries’ laws. For example, if a cybercrime is committed in a country with more lenient cybercrime laws than Singapore, the offender could be extradited to Singapore to face more severe penalties. This could create tensions between Singapore and other countries, especially if those countries view Singapore’s laws as overly harsh.
Some have also expressed concerns that the amendments could be used to stifle free speech and infringe on privacy rights. For instance, the amendment criminalizing the buying and selling of hacking tools could be used to criminalize legitimate cybersecurity research and development.
There are also concerns about how the Singaporean government will determine what constitutes “serious harm” caused by offences committed abroad. Critics worry that this could be used as a pretext to target political dissidents or journalists who criticize the Singaporean government.
Another potential drawback is the potential impact on Singapore’s reputation as a business-friendly hub. Singapore has long been a popular destination for multinational corporations, in part due to its favourable business climate and stable political environment. However, the new cybersecurity laws, particularly the criminalization of dealing with and trading personal information, could make some companies think twice about doing business in Singapore.
Despite these concerns, the Singaporean government has defended the proposed amendments as necessary to address the evolving threats in their cyberspace. In a statement, the Ministry of Home Affairs emphasized that the amendments were aimed at tackling the increasing scale and transnational nature of cybercrime, as well as the evolving tactics of cybercriminals.
The Singaporean government has been proactive in addressing the growing threat of cybercrime. The creation of the Defence Cyber Organization and the establishment of a cyber defence vocation are just two examples of how Singapore is taking cybersecurity seriously. However, the proposed amendments to the Computer Misuse and Cybersecurity Act demonstrate that the government is willing to take further steps to protect its citizens and businesses from cyber threats.
As cyberspace becomes an increasingly important domain for commerce and communication, it is likely that more countries will follow Singapore’s lead in strengthening their cybersecurity laws. However, it is important to strike a balance between security and privacy rights, as well as maintaining a business-friendly environment. As such, it will be interesting to see how the Singaporean government implements and enforces these new cybersecurity laws, and how they impact the country’s reputation as a hub for international business.
The proposed amendments to the CMCA are a positive step forward for Singapore’s cybersecurity efforts. With cyber threats on the rise, it is essential for governments to take steps to protect their citizens and businesses from cybercriminals. By criminalizing the trade in personal information and hacking tools, and expanding the law’s jurisdiction to include offences committed abroad, Singapore is sending a strong message that it takes cybercrime seriously and is willing to take strong measures to combat it.
[1] Deepanraj Ganesan, “Hackers targeted 8 Shangri-La hotels between May and July, guests' data potentially leaked”, (The Straits Times, 1 October 2022) https://www.straitstimes.com/singapore/data-breach-at-shangri-la-hotels-occurred-during-asias-top-security-summit-guests-data-potentially-leaked (Accessed: 28 April 2023)
[2] Ibid
[3] Ibid
[4] Aqil Hamzah, “330,000 S'pore Starbucks customers' data leaked, info sold online for $3,500”, (The Straits Times, 17 Sept 2022) https://www.straitstimes.com/singapore/330000-starbucks-customers-data-leaked-sold-online-for-3500 (Accessed: 28 April 2023)
[5] Ibid
[6] Ibid
[7] Ibid
[8] Ibid
[9] Kenny Chee, “Singapore ranked No. 6 globally for having most number of database exposed” (The Straits Times, 27 April 2022) https://www.straitstimes.com/tech/tech-news/singapore-ranked-no-6-globally-for-having-most-number-of-exposed-databases (Accessed: 28 April 2023)
[10] Ibid
[11] Stellar Cramer, Wilson Ang, David Olds, Jessica Paulin, Jeremy Lua (Norton Rose Fulbright, 14 Feb 2018) https://www.dataprotectionreport.com/2018/09/singapores-new-cybersecurity-act-come-into-force-heres-what-you-need-to-know/ (Accessed: 28 April 2023)
[12] Ibid
[13] Prasanth Parameswaran “Singapore Eyes Tougher Cyber Laws” (The Diplomat, 14 March 2017) https://thediplomat.com/2017/03/singapore-eyes-tougher-cyber-laws/ (Accessed: 28 April 2023)