The biggest data breaches in Singapore and Malaysia

In recent years,  data breaches has become the most serious business risk globally. In the Southeast Asia countries, an increasing number of companies are beginning to grow awareness of the cyber threats.

Cyber threats are becoming more damaging , increasingly targeting big organizations with sophisticated attacks and high extortion demands. These demands can be in the millions, according to Marek Stanislawski, deputy global head of cyber at Allianz Global Corporate and Specialty (AGCS).

While the global average organizational cost of a data breach is US $3.92 million, the average cost for Southeast Asia countries is US $2.62 million. Still a significant figures for concern among the CEOs and CIOs in the region.

Singapore and Malaysia encountered several incidents of data breach with 96 percent of Singaporean businesses reported suffering a data breach between September 2018 and September 2019. Below we have compiled a list of the most serious data breach incidents in both countries during the past years.


December 2019: Government vendors under attack

Personal data relating to 2,400 personnel from the Ministry of Defense (Mindef) and Singapore Armed Forces (SAF) were put at risk and may have been leaked. According to ST Logistics, a government's vendor which provides logistic and equipping services, the potential breach resulted from a series of email phishing activities targeting the email of the employees. In another occasion, another government vendor providing healthcare training to SAF was found affected by ransomware. A server storing data of 120,000 individuals, including 98,000 SAF servicemen were infected. Data stored in the affected server included personal information of students and applicants, such as full names, NRIC numbers, dates of birth, home addresses and e-mail addresses.

January 2019: Second health data breach in six months

The Ministry of Health of Singapore revealed that confidential information belonging to 14,200 people diagnosed with HIV was stolen and leaked online. The compromised personal data included names, contact details (phone number and address), HIV test results and other medical information of some 5,400 Singaporeans and 8,800 foreigners dating up to January 2013. Another 2,400 individuals identified through contact tracing up to May 2007 were also included. The person behind the breach was Mikhy Farrera Brochez, a 33-year-old US citizen who lived in Singapore between 2008 and 2016. Farrera Brochez was found guilty on several counts, including transmitting threats for extortion and illegally transferring the identification of another person, by a US court and given a sentence of two years in jail in September Farrera Brochez used to be the partner of Ler Teck Siang, the former head of Singapore's National Public Health Unit, who was convicted for helping him falsify his medical records to disguise the American’s HIV-positive status to enter the country.

July 2018: SingHealth - Largest data breach

The largest data breach in the history of Singapore, 15 million patients' personal information were stolen. These information including names, national identity numbers, postal addresses, gender and dates of birth. Through the Committee of Inquiry (CIO) set to investigate into the events established that it took six days since the attack began to be discovered and halted as the staffs working in IHIS (Integrated Health Information Systems initially thought that no data have been stolen. The COI concluded that IT gaps and staff missteps contributed to the incident.

2017: Reputation debacle for AXA Insurance and Uber

AXA Insurance found a data breach in their company's online health system in September 2017 involving information stolen from 5,400 customers. It included e-mail addresses, telephone numbers and date of birth. AXA was quick to reassure that no other personal data, including name, postal addresses, financial details, medical records or claims history, had been exposed.

In December 2017, Uber disclosed that personal data belonging to 380,000 of its customers in Singapore had been subject to a leak the previous year. The company only released the news after disclosing that the details of 57 million worldwide Uber riders and drivers had been exposed. Uber paid US$100,000, which was approved by the former CEO Travis Kalanick to the hacker responsible to destroy the data in an effort to cover up the leak. It didn't work too well for the company and Joe Sullivan who was the CSO was sacked shortly after the incident made headlines.


October 2017: Fiasco at the Malaysian Communications and Multimedia Commissions

The darkest data breach in history of Malaysia to date, recording more than 46 million mobile subscribers' data breach and leaked on to the dark web. The leaded information includes mobile numbers, unique phone serial numbers and home addresses. Personal information from multiple Malaysian public sector and commercial websites was also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning., the Malaysian technology news website, has been told that massive personal information databases from at least 12 Malaysian mobile operators have been placed on sale for an undisclosed amount of Bitcoin in their forums; and claimed that they had reported the breach to the Malaysian Communications and Multimedia Commission (MCMC) . The watchdog asked to take the news article down. Vijandren Ramadass, the founder of to told The Star that all information it had received on the matter was handed over to the MCMC. The MCMC only acknowledged the data breach one day later in a press release published on Facebook, later revealing that the data breach affected 46.2 million mobile subscribers.