SINGAPORE: A 23-year-old man has been arrested for allegedly breaking into a rental flat along Yishun Ring Road and stealing eight mobile phones from five tenants.

The incident occurred in the early hours on Sunday (1 September), according to a statement from the Singapore Police Force.

The authorities reported that they received a call for assistance at around 5 a.m. on that day.

Officers from the Woodlands Police Division quickly responded and, through ground enquiries and police camera footage, were able to identify and apprehend the suspect on the same day.

The stolen mobile phones, with an estimated total value of approximately S$3,400, were recovered hidden under a nearby bin.

The suspect was charged in court on Monday with housebreaking with the intent to commit theft.

If convicted, he could face a jail term of up to 10 years and a fine.

In light of this incident, the police have advised property owners to take precautions to prevent similar crimes.

They recommend securing all doors, windows, and other openings with good quality grilles and padlocks when leaving premises unattended, even for short periods.

The installation of burglar alarms, motion sensor lights, and CCTV cameras to cover access points is also advised. Additionally, residents are urged to avoid keeping large sums of cash and valuables in their homes.

The investigation is ongoing.

Last month, police disclosed that a recent uptick in housebreaking incidents in private residential estates across Singapore has been traced to foreign syndicates, primarily involving Chinese nationals.

Preliminary investigations indicate that these syndicates operate in small groups, targeting homes by scaling perimeter walls or fences.

The suspects are believed to be transient travelers who enter Singapore on Social Visit Passes, typically just a day or two before committing the crimes.

Before this recent surge in break-ins, housebreaking cases were on the decline, with 59 reported in the first half of this year compared to 70 during the same period last year.

However, between 1 June and 4 August 2024, there were 10 reported housebreaking incidents, predominantly in private estates around the Rail Corridor and Bukit Timah Road.

The SPF has intensified efforts to engage residents near high-risk areas by distributing crime prevention advisories, erecting alert signs, and training them to patrol their neighborhoods, leading to an increase in reports of suspicious activity.

The Consumers Association of Singapore (CASE) has been fined S$20,000 by the Personal Data Protection Commission (PDPC) for breaches under the Personal Data Protection Act (PDPA).

According to a judgement which was published on 28 August, the fine was imposed due to the consumer watchdog’s failure to implement reasonable security measures to protect the personal data in its possession and to establish necessary policies and practices required under the PDPA.

The breaches resulted in two significant incidents, one in October 2022 and another in June 2023, where the personal data of up to 34,760 individuals was potentially compromised.

Both incidents were handled under the Expedited Decision Procedure (EDP) at the request of CASE, with the organization admitting to all the facts and contraventions of the PDPA, leading to a faster resolution of the case.

The First Incident: Phishing Attack in October 2022

The first incident occurred in October 2022 when a threat actor accessed CASE’s email accounts and sent phishing emails from its official email addresses.

On 8 October 2022, some consumers received unsolicited emails from “[email protected],” which falsely claimed that their complaints had been escalated to the “collections and compensation department” and that they were eligible for compensation.

The recipients were asked to provide their banking details by clicking on a chat icon.

The following day, similar phishing emails were sent from “[email protected],” an account used for complaints that had progressed to mediation. CASE later discovered that the phishing emails had affected up to 22,542 email addresses.

Further investigations revealed that the phishing emails likely resulted from the threat actor obtaining login credentials from a CASE employee via a phishing attack.

The compromised accounts led to the sending of 5,205 phishing emails to 4,945 recipients. Although CASE acted swiftly to suspend the affected accounts and reset all administrator passwords, three consumers reported that they had clicked on the phishing links and collectively lost S$217,900. CASE subsequently lodged a police report.

The Second Incident: Data Breach During Vendor Migration

While PDPC was investigating the first incident, a second breach came to light in June 2023. On 22 June 2023, PDPC received a complaint about a phishing email that replicated a consumer’s complaint previously submitted to CASE.

This led to the discovery that the personal data of 12,218 individuals, including names, email addresses, contact numbers, and complaint details, had been exposed. The PDPC concluded that the breach likely occurred during a data migration exercise conducted by CASE between December 2019 and January 2020 when CASE switched vendors.

Investigations revealed that CASE’s contract with one of its vendors, Total eBiz Solutions Pte Ltd (TES), did not stipulate clear security responsibilities. This lack of contractual clarity contributed to the data breach during the migration process, highlighting CASE’s negligent vendor management.

PDPC Findings and Penalties

The PDPC found that CASE had failed to enforce its password management policy, with some passwords not meeting minimum length and complexity requirements and others remaining unchanged for up to four years. Furthermore, CASE’s vendor management was deemed negligent, as one of its contracts did not specify clear security responsibilities, putting personal data at risk.

CASE admitted to not conducting regular security awareness training for its staff, with the last session held five years before the first incident.

The PDPC also noted that CASE lacked an Information and Communications Technology (ICT) policy, particularly in relation to patching and maintaining IT systems. The absence of a documented IT infrastructure management plan, insufficient logging and monitoring practices, and the lack of security reviews over the three years preceding the first breach were significant failures highlighted in the judgment.

In assessing the financial penalty, the PDPC considered the nature and gravity of the breaches, the duration of non-compliance, and CASE’s annual turnover. The fine of $20,000 was determined to be appropriate in light of these factors.

Remedial Actions by CASE

It is said that CASE, which is headed by Mr Melvin Yong, People’s Action Party Member of Parliament for Radin Mas, has implemented several measures to enhance its cybersecurity in response to the breaches.

These include introducing multi-factor authentication for all web-based applications, strengthening password complexity requirements, decommissioning end-of-life devices, and implementing patch management software for security updates.

CASE has also revised its contracts with outsourced vendors to include data protection clauses and mandated annual data protection training for all staff members.

CASE is working towards obtaining the Cyber Essentials Mark and the Data Protection Trust Mark to reinforce its commitment to safeguarding personal data and complying with PDPA obligations.

The PDPC has directed CASE to review and update its data protection policies, rectify all identified security gaps, and report back within one week of completion. The organization has also been instructed to conduct a penetration test after addressing the vulnerabilities to ensure no further security gaps exist.

The post Consumers Association of Singapore fined S$20,000 for PDPA breaches following two data security incidents appeared first on Gutzy Asia.