Data of 70,000 people compromised in cybersecurity incident involving SLA’s vendor IBM
Names, NRIC numbers and past property addresses were exposed after unauthorised access to a data set created for vendor development and testing.
Visitors walk past the IBM logo at the Mobile World Congress (MWC) in Barcelona, Spain, on Mar 3, 2026. (File photo: Reuters/Nacho Doce)
This audio is generated by an AI tool.
SINGAPORE: Personal data of about 70,000 people was compromised following a cybersecurity incident involving the Singapore Land Authority (SLA) and a cloud environment managed by its vendor IBM.
In a media release on Friday (Jul 3), SLA said the incident involved unauthorised access to a data set created for vendor development and testing.
IBM manages the development and systems-integration testing environment for the Singapore Titles Automated Registration System (STARS) and eLodgment System (ELS). The web-based system allows lawyers, government agencies and authorised individuals to submit documents relating to property transfers and caveats.
Preliminary investigations showed that the compromised dataset, created in 1998 for testing purposes and updated periodically over the years, was meant to contain only mock and anonymised data based on property ownership and lodgment records.
However, it was later found to include real information such as names, NRIC numbers and past property addresses of about 70,000 people.
"This information should have been anonymised but was not," SLA said. "Investigations are ongoing to determine how this occurred."
The affected environment managed by IBM is separate from SLA’s operational systems.
“There is no connection or compromise to the live systems used for operations of STARS, ELS or any other SLA systems," the agency said. "Property ownership and lodgment records in STARS and ELS remain secure and unaffected."
IBM has since revoked access to the affected system to prevent further unauthorised entry.
As a precaution, SLA has begun notifying affected individuals and advising them on steps they can take for assistance.
“SLA is working closely with IBM, the Government Technology Agency of Singapore and the Cyber Security Agency of Singapore to investigate the incident, establish the full facts and ensure that the necessary remedial measures are taken,” the authority said.
It has also lodged a police report and notified the Personal Data Protection Commission.
“As investigations are ongoing, we advise members of the public to remain vigilant against phishing emails, phishing websites, text messages or telephone calls from parties claiming to represent government agencies or other organisations,” it said, apologising for the concern and inconvenience caused.
CNA has asked SLA for more information, including when the incident took place, when it was informed and how many of the affected individuals have been contacted.