SINGAPORE: The year 2025 has been a tumultuous one for Mr Raymond Tan, a Singaporean who experienced a rude shock when he discovered that his home address had been changed without his consent.
According to the latest Channel News Asia report, the unsettling realisation came after he used MyInfo, a government service that auto-fills forms with personal data, and found that his home address had been altered to an unfamiliar Housing Board unit.
He quickly learned that he wasn’t alone; 71 individuals, including Mr Tan, had fallen victim to a sophisticated scam exploiting vulnerabilities in the Immigration and Checkpoints Authority’s (ICA) online services.
ICA takes action – suspended accounts and e-service shutdown
In response to the breach, ICA suspended its online address-change service and launched a comprehensive investigation, halting parts of its e-service on January 11. As a precautionary measure, the Singpass accounts of all affected individuals were temporarily deactivated.
While the authorities worked to enhance security, the suspension of his Singpass account caused significant disruptions for Mr Tan, leaving him unable to access critical documents and services. Without Singpass, he could not proceed with important tasks such as his domestic helper’s medical examination and an appointment involving his father-in-law’s Lasting Power of Attorney.
The bank account crisis
The ordeal didn’t end there. Mr Tan’s troubles deepened when he discovered that his bank accounts, including those with CIMB and OCBC, were placed under review.
After struggling to access his CIMB account in late January and facing difficulties transferring funds from his OCBC accounts in early February, he was stunned to receive letters from OCBC stating that his accounts would be closed due to a “change in the profile and/or activities”. This letter, which came just after the Chinese New Year celebrations, caused immense frustration and confusion as the bank did not offer any explanations.
After he pressed the bank for clarity, OCBC eventually reversed the decision, reassuring him that his accounts would remain open.
Scammers exploit system vulnerabilities
The source of this nightmare was traced back to a vulnerability within ICA’s online services. Scammers exploited an option in the address-change process that allowed them to impersonate victims and change their addresses through a proxy, using compromised Singpass accounts.
Authorities revealed that fraudsters had managed to manipulate the system, altering personal details with minimal barriers.
While ICA had implemented safeguards, including requiring NRIC details, these measures proved inadequate against the determined criminals. Mr Tan, like many others, speculated that his personal information might have been compromised through everyday activities such as submitting photocopies of his NRIC for purchases or building access.
Lingering fears – the ongoing impact
Even after his banking issues were resolved, Mr Tan remains on high alert. Recently, a notification from his insurer about a change in his contact details sparked another round of panic, though it was later confirmed to be a glitch.
The experience has left him grappling with a deeper concern about how much of his personal information has fallen into the wrong hands. “If this person was able to change my address, did they also access other parts of my account?” he wonders, reflecting on the long-term implications for his privacy and security. As the investigation continues, Mr Tan’s sense of helplessness lingers, and he fears that his data may be used against him or his family in ways he cannot predict.
This case has raised serious questions about the security of digital services and the need for stronger safeguards to protect citizens’ sensitive information in an increasingly connected world.