Lessons from Singapore’s Data Breaches: What Leaders Need to Know

As digital transformation accelerates, cyber security is becoming a critical concern for businesses worldwide. Recent Kaspersky findings reveal that Singapore has climbed to 8th place globally as a target for cyber threats in 2024, up from 12th in 2022 and 9th in 2023. This steady rise highlights the growing vulnerability of businesses in the region, making cyber security a top priority for leaders across all industries. Further emphasizing this risk, a recent report from a joint cyber security exercise by the Singapore Business Federation (SBF) and the Ministry of Defence (MINDEF) reveals that nearly two in 10 employees in Singapore who received phishing emails clicked on the links—almost double the global average. This reveals a significant gap in security awareness that leaves organizations at greater risk.

This blog explores some of Singapore’s biggest data breaches in the past few years and, more importantly, the lessons these incidents offer. By reflecting on what went wrong and understanding the impact of these breaches, leaders can take proactive steps to safeguard their organizations against similar threats.

A Look Back at Singapore’s Major Data Breaches

• DBS and Bank of China vendor data compromise: In 2025, a significant data breach occurred when a third-party vendor to DBS and the Bank of China was compromised, leading to the exposure of sensitive data from over 11,000 customers. This breach highlights the growing risks posed by third-party vendors, whose security practices can directly impact the protection of customer data. This incident serves as a wake-up call for businesses to periodically check their vendors and make sure security practices are consistently followed.
• Marina Bay Sands data breach: In October 2023, Marina Bay Sands, one of Singapore’s most iconic integrated resorts, experienced a data breach that impacted around 665,000 non-casino customers enrolled in its loyalty program. The breach involved unauthorized access to sensitive personal information, including names, email addresses, and phone numbers. This incident underscores the vulnerabilities that can exist even in well-established businesses and highlights the critical need for strong data protection practices.
• SingHealth data breach: Over the past few years, Singapore’s public sector has faced several data incidents, including 201 reported cases in 2023, marking a 10% increase from the previous year. One of the most significant data breaches in Singapore’s public sector involved SingHealth, Singapore’s largest public healthcare group. The breach affected the personal data of approximately 1.5 million patients, including sensitive information such as outpatient medication and HIV statuses. These incidents underscore the critical nature of cyber security in public institutions, which handle vast amounts of personal data from citizens and businesses.
• Meiji Seika Singapore ransomware attack: Meiji Seika Singapore, a subsidiary of the global food manufacturer, fell victim to a ransomware attack in August 2022. The attack, attributed to the LockBit ransomware group, resulted in a significant data compromise, including the exfiltration of sensitive business and customer data. This breach highlights the growing threat of ransomware attacks, which have become a common vector for cyber criminals looking to extort organizations. It serves as a stark reminder for businesses to implement strong cyber security measures to defend against such attacks.
• Carousell data breaches: Carousell, a popular online marketplace in Singapore, faced two separate data breaches in mid-2022. These incidents were the result of vulnerabilities in the company’s software, which led to the exposure of sensitive personal information. As a consequence, the Personal Data Protection Commission (PDPC) fined Carousell S$58,000 for failing to implement reasonable security measures to protect user data. This breach illustrates the importance of proactive security measures, including periodic vulnerability assessments and software patching, to prevent data leaks and maintain customer trust.

These are some of the major data breaches that have occurred in recent years. Looking ahead, the cyber security landscape in Singapore remains concerning. The SOCRadar Singapore Threat Landscape Report 2025 highlights that cyber criminals are taking advantage of weaknesses in digital systems across Singapore, using tactics like ransomware, phishing, and DDoS attacks. As key sectors face ongoing threats, organizations need to adopt proactive security measures and stay alert to evolving risks.

What Actions can Leaders Take to Improve Data Protection?

Data is undoubtedly the most valuable asset an organization holds. While everyone recognizes its importance, many presume it’s secure, often without taking the necessary steps to protect it. As cyber threats continue to evolve, leaders must take proactive measures to ensure their organization’s data remains safe. The following strategies offer practical steps to enhance data security and protect against emerging risks.

• Adopt a structured security approach: Adopting a clear and organized approach to cyber security can greatly improve an organization’s overall security. It’s important to put in place a set of basic security measures that address potential weaknesses. A well-structured approach can help align data protection with industry standards and provide clear steps for managing risks. For example, using widely recognized guidelines can offer proven practices for improving security, such as those from NIST or ISO 27001.
• Conduct periodic cyber security audits: Periodic cyber security audits can be a helpful way for leaders to assess the effectiveness of their organization’s security measures. These audits help identify potential weaknesses and ensure that security controls are working as intended. These evaluations help organizations stay ahead of emerging threats and ensures that their defenses are always up to date.
• Assess third-party vendor data protection practices: Given the risks posed by third-party vendors, especially in cases like DBS and Bank of China’s data breach, organizations may want to consider assessing their vendors’ data protection practices. This can involve checking their security measures and ensuring they meet the necessary data protection standards. Periodic assessments could be conducted to verify that vendors are consistently meeting these requirements and helping manage the risks associated with vendor relationships.
• Prioritize continuous employee cyber security training: Leaders could prioritize continuous cyber security training for employees at all levels. Periodic workshops, simulated phishing attacks, and awareness campaigns can empower employees to identify and prevent common cyber threats, such as phishing, malware, and social engineering attacks. A well-trained workforce is one of the most effective defenses against data breaches.

What Key Preparations can Leaders Make to Face a Future Data Breach?

No matter how strong our security measures are, the reality is that cyber criminals are always looking for vulnerabilities. Our systems and data are constantly in the crosshairs of attackers, and it’s essential to recognize that a breach may still occur. Here are some key preparations that will help ensure readiness for any potential data breach and enable effective management of the situation when it arises.

• Develop a strong Incident Response Plan (IRP): Prepare a comprehensive plan that outlines specific steps to take when a breach occurs. This includes team roles, communication protocols, and legal considerations, ensuring a swift and coordinated response.
• Create a clear data backup and recovery plan: Ensure the organization has a secure data backup and recovery system in place. Periodically back up critical data and ensure it is stored securely to quickly restore operations after a breach.
• Establish strong communication protocols: Set up clear communication channels for internal teams, external stakeholders, and regulatory bodies. Quick, transparent communication during and after a breach is crucial for managing the situation and rebuilding trust.
• Prepare legal and regulatory compliance measures: Be aware of legal and regulatory requirements in the event of a data breach. Set up processes to report breaches within the required timeframes. Ensure an understanding of the legal procedures involved, including potential fines, regulatory investigations, and compliance obligations.

Moving Forward with Data Security

As data breaches continue to evolve, organizational leaders must adopt a forward-thinking approach to data protection. By learning from past incidents, investing in strong cyber security practices, and fostering a culture of security awareness, businesses in Singapore can better defend against emerging threats. The cyber security landscape is constantly changing, and the best way to ensure organizational resilience is to remain vigilant and proactive in the face of evolving cyber risks. With the right strategies, leadership can help ensure that their organizations are not only meeting compliance standards but are also well-protected in the digital age.