201 government data incidents in 2023, 10% increase from previous year

SINGAPORE: There were 201 government data incidents in the financial year of 2023, a 10 per cent increase from the 182 incidents reported the previous year.

An incident is logged when there is a compromise of government data. This includes unauthorised access, collection, use, disclosure, copying, modification, or disposal of data. 

Of the 201 incidents last year, 29 were of medium severity and 172 were of low severity, according to the fifth annual report by the Ministry of Digital Development and Information (MDDI) on Tuesday (Jul 30) about the government's personal data protection efforts.

Low-severity incidents are defined as those that have "minimal impact" on agencies, individuals or businesses. 

Medium-severity incidents are those that pose "difficult or undesirable consequences to a government agency or which pose minor inconvenience to individuals or businesses".

"The increase in the (total) number of incidents is due to the higher volume of data usage as more government services are digitalised to provide convenience to citizens and businesses," said MDDI.

"In addition, improved awareness among public officers on the need to report incidents may have also contributed to the increase."

Although the total number of incidents increased from 2022, the number of medium-severity incidents fell from 46.

The decrease is partly due to the progressive implementation of security processes and technical measures, as well as increased public sector awareness, said the ministry.

This is the fourth consecutive year with no incidents assessed to be of high severity or above.

In the last financial year ending Mar 31, the Government Data Security Contact Centre received 53 reports from the public on potential incidents involving government data.

Upon further investigation, 14 were classified as data incidents involving government agencies. The remaining 39 reports were related to data incidents in the private sector and general queries.

The Public Sector Data Security Review Committee provided five key recommendations in 2019 to improve the government's data security regime.

They include enhancing technology and processes to effectively protect data and strengthening processes to detect and respond to incidents.

To meet these five recommendations, 24 initiatives were put together. As of Mar 31, all 24 have been implemented, said MDDI.

In the last financial year, the government completed two recommendations: Minimising data collection, retention, access and downloads, as well as protecting data directly when it is stored and distributed to make sure it is unusable even when extracted.

The government has also progressively put in place several measures, said MDDI.

In the last year, it expanded a central privacy toolkit called Cloak. This allows public officers to apply "privacy-enhancing technologies" to datasets while preserving the data's value for sharing and use. 

For example, one feature has been used to anonymise 20 million documents.

Since its launch in March 2023, the toolkit has been used by 1,400 public officers from 90 agencies.

Another tool is the Central Accounts Management (CAM) system, which is used to automatically remove user accounts that are no longer needed.

This mitigates the risk of unauthorised access by officers who have left their roles and the exploitation of dormant accounts by malicious actors, said MDDI.

Enhancements have also been made to the government’s Data Loss Protection tool that mitigates the accidental loss of classified or sensitive data from government networks, systems, and devices.

For example, people can no longer see the email addresses of other external recipients if there are more than 30 recipients.

"The government acknowledges that the endeavour to enhance data protection measures is a continuous process," said MDDI.

"As technology progresses, data security risks and opportunities for mitigation will also evolve. The government remains committed that our policies and initiatives will undergo continuous review to ensure a robust data security regime."