. Find out more about cyber security breaches reported in Singapore and its impact.

Over the past decade, there have been numerous high-profile cybersecurity breaches and leaks affecting companies locally and around the world.
In 2021, several companies in Singapore were fined a total of $75,000 for breaches and lapses that affected more than 600,000 people's personal data, including names, contact numbers and in some cases, financial information. These incidents have resulted in not only the loss of sensitive data but also financial and reputational damage to the affected organisations.
In this article, we take a closer look at the cyber security breaches and leaks that made it to local news and what lessons we can learn from them.
Year of News Coverage of Breach Company (Period of Breach) No of Victims | Compromised Data | Details |
2022 Carousell (Oct 2022) 1.95 mil user accounts | Usernames, First and Last Names, Email Addresses, Phone Numbers, Country of Origin, Date of Account Creation and Number of Followers (Found to be put up for sale on Dark Web, hacking forums for $1,000) | Investigations revealed that:
Carousell was reported to have taken the following remediation actions:
|
2022 Starbucks (Sep 2022) 330,000 customers | Names, Residential and Email Addresses (Found to be put up for sale on an online forum for $3,500) | Following the incident, Starbucks was reported to have taken the following actions:
Investigations are believed to be ongoing Source: https://www.straitstimes.com/singapore/330000-starbucks-customers-data-leaked-sold-online-for-3500 |
2022 GeniusU (Nov 2020) 1.2 mil customers | First and last names, e-mail addresses, location information and last sign-in IP addresses | Investigations revealed that:
Following the incident, GeniusU was fined $35,000. It was reported to have taken the following remediation actions:
The fine levied appeared to the lower end of the scale considering the number of users affected as the leak did not include more sensitive information such as financial or health data. GeniusU's voluntary admission, cooperation and swift action is also considered. |
2022 RedMart (Oct 2020) 898,791 user accounts | Names, Email Addresses, Encrypted Passwords, Phone Numbers, Partial Credit Card Numbers | Investigations revealed that:
Following the incident, RedMart was fined $72,000. It was reported to have taken the following remediation actions:
Source: https://www.channelnewsasia.com/singapore/redmart-fined-s72000-data-breach-lazada-3159496 |
2021 MyRepublic (Aug 2021) 79,388 customers | Scanned copies of both sides of NRICs, workpasses & proof of residential addresses | Investigations revealed that:
Following the incident, MyRepublic was fined $60,000. It was reported to have taken the following actions:
Source: https://www.channelnewsasia.com/singapore/myrepublic-data-breach-cyber-attack-fine-60000-2943016 |
2021 StarHub (Jul 2021) 57,191 customers | Identity Card Numbers, Mobile Numbers and Email Addresses | Investigations revealed that:
StarHub was reported to have taken the following remediation actions:
Source: https://www.straitstimes.com/tech/more-than-57000-starhub-customers-personal-data-leaked |
2021 SingTel (Dec 2020) 129,000 customers, 23 enterprises (including Suppliers, Partners, Corporate Customers) | NRIC Numbers, Name, Date of Birth, Phone Numbers or Address Test Data, Reports, Data Logs and Emails Credit Card Details of 45 staff of a SingTel mobile line corporate card customer Bank Account Details of 28 former employees (A ransom of $250,000 worth of bitcoin was requested by the Clop group hackers) | Investigations revealed that:
SingTel was reported to have taken the following remediation actions:
|
2021 RedDoorz (Sep 2020) 5.9 mil customers | Names, Contact Numbers, Email Address, Date of Birth, Hashed passwords and their Booking Information (Found to be put up for sale on a hacker forum) | Investigations revealed that:
Following the incident, Commeasure was fined $74,000. It was reported to have taken the following actions:
|
2020 Grab (Aug 2019) 21,541 drivers / passengers | Profile Pictures, Passenger Names, Vehicle Plate Numbers and Wallet Balances comprising the journal history of ride payments. Other data that was affected included GrabHitch booking details such as Addresses, Pick-up and Drop-off times, Driver Details such as Total Rides, and Vehicle Model and Make | Investigations revealed that:
Following the incident, Grab was fined $10,000. It was reported to have taken the following actions:
|
2019 HMI Institute of Health Sciences (Dec 2019) 120,000 students | Full Names and NRIC Numbers of about 98,000 MINDEF/SAF Personnel Full Names, NRIC Numbers, Contact Numbers, Email Addresses, Dates of Birth and Residential Addresses of other HMI Institute customers. | Investigations revealed that:
Following the incident, HMI Institute of Health Sciences was fined $35,000. It was reported to have taken the following actions:
Source: https://hmi-ihs.com/hmi-institute-alerts-students-and-applicants-to-data-incident/ |
2019 ST Logistics (Dec 2019) 2,400 Mindef & SAF Personnel | Full Names and NRIC Numbers and a combination of Contact Numbers, Email Addresses or Residential Addresses | Investigations revealed that:
Following the incident, ST Logistics was fined $8,000. It was reported to have taken the following actions:
|
2019 Integrated Health Information System (IHiS) (2018) 1.5 mil SingHealth patients
160,000 records of Outpatient Dispensesd Medicines | Names, NRIC Numbers, Addresses, Gender, Race and Date of Birth (Information of then PM Lee Hsien Loong was specifically targeted) | Investigations revealed that:
Following the incident, IHIS was fined $750,000 and SingHealth was fined $250,000. A Committee of Inquiry was convened to investigate and report the cause of attack as well as identify measures to prevent similar attacks. 16 recommendations were made to boost cybersecurity, separated into priority and additional recommendations. More details of the breach are up at: https://en.wikipedia.org/wiki/2018_SingHealth_data_breach IHIS/SingHealth was reported to have taken the following remediation actions:
Sources: |