// Adds dimensions UUID, Author and Topic into GA4
Sunday, July 5, 2026
30.5 C
Singapore

Singapore Land Authority: 70,000 people’s personal data exposed in IBM-managed cloud environment security breach

SINGAPORE: The personal data of about 70,000 people has been exposed after attackers gained unauthorised access to a cloud environment managed by IBM for the Singapore Land Authority (SLA).

The breach didn’t affect SLA’s live property systems, but investigators found that a testing database dating back to 1998 contained real personal information that should have been anonymised. According to SLA, the exposed records included names, NRIC numbers and former property addresses.

SLA announced the incident on July 3, 2026, saying it is notifying affected individuals and working with IBM and government agencies to investigate the incident and tighten security measures.

The testing database contained real personal information

According to the SLA, IBM manages the development and systems integration testing environment for the Singapore Titles Automated Registration System (STARS) and the eLodgment System (ELS).

Initial findings showed that unauthorised access occurred in a development and testing environment, not the operational systems used to process property transactions.

The database was created in 1998 and updated over the years for software development and testing. It was meant to contain only mock or anonymised information. Instead, investigators discovered it also held genuine personal data belonging to an estimated 70,000 people.

SLA said investigations are underway to determine why the information wasn’t properly anonymised.

Live property records weren’t affected

The authority stressed that the affected testing environment is completely separate from its operational systems. It said there is no evidence that STARS, ELS or any other SLA operational systems were compromised.

Property ownership records and land transaction data continue to be secure. IBM has since revoked access to the affected cloud environment to stop any further unauthorised entry.

Affected individuals are being notified

SLA said it has started contacting everyone whose information appeared in the compromised database and expects to complete notifications by the end of next week.

The authority has also lodged a police report and informed the Personal Data Protection Commission. Investigations are being carried out with IBM, the Government Technology Agency of Singapore and the Cyber Security Agency of Singapore.

SLA urged the public to stay alert for phishing emails, text messages, fake websites and phone calls from people pretending to represent government agencies or other organisations. The agency also apologised for the concern caused by the incident.

Old test data can still create new risks

The incident shows how forgotten development databases can become security risks years after they are created. Even when live systems stay protected, older testing environments need the same attention because sensitive information can still find its way into them.

The immediate concern is staying alert for scams that misuse personal details for affected individuals. For organisations, the lesson is equally straightforward: test data should always be anonymised, regularly reviewed and removed when it’s no longer needed.

- Advertisement -

Hot this week

Singapore traffic police officer gets 16 months’ jail for misusing government systems to help a friend threaten his ex‑girlfriend, who reported him for unlicensed...

The suspended traffic police officer accessed government databases to help a friend trace the person who reported him for unlicensed driving

Yishun hawkers say they keep their nasi lemak at S$2 so elderly residents don’t go hungry

From an IG video from @indonesianseleracorner. The proprietor said she intends to keep the price of her nasi lemak low so people on a budget can still enjoy her food, in spite of an alleged S$10,00...

Popular Categories

document.addEventListener("DOMContentLoaded", () => { const trigger = document.getElementById("ads-trigger"); if ('IntersectionObserver' in window && trigger) { const observer = new IntersectionObserver((entries, observer) => { entries.forEach(entry => { if (entry.isIntersecting) { lazyLoader(); // You should define lazyLoader() elsewhere or inline here observer.unobserve(entry.target); // Run once } }); }, { rootMargin: '800px', threshold: 0.1 }); observer.observe(trigger); } else { // Fallback setTimeout(lazyLoader, 3000); } });
// //
Enable Notifications OK No thanks