News

99 Singpass accounts suspended after 71 addresses illegally changed on ICA system: Govt

The cases had started from August 2024.

clock

February 04, 2025, 04:26 PM

Telegram

Whatsapp

99 Singpass accounts were suspended after malicious actors changed the addresses of 71 people on the Immigration and Checkpoints Authority (ICA) electronic change of address (eCOA) service since last August, Minister of State for Home Affairs Sun Xueling said in parliament on Feb. 4.

ICA suspended the eCOA service on Jan. 11 after discovering that perpetrators had used stolen or compromised Singpass accounts to change victims' residential addresses on the service.

They did so using the "Others" module, which was introduced to help the less digitally savvy.

The eCOA service was resumed on Jan. 14 but now requires face verification when individuals use their Singpass account to login to the service.

System exploited by malicious actors: Govt

Sun was responding to questions from various Members of Parliament (MP) about the extent of the breach, measures to prevent unauthorised access of Singpass for address changes, and whether the government would review its procedure for change of home address.

Sun explained how the breaches involving the "Others" module in the eCOA service took place.

She said that the module had been introduced to help less digitally savvy residents like the elderly or disabled to change their addresses through a proxy, without having to go down to ICA in person.

Sun noted that there were safeguards in place for the eCOA system, with the need to authenticate the proxy via Singpass, and use of the individual's NRIC number, date of issue, and a physical PIN mailer to log in.

At that time, these safeguards were assessed to be an "acceptable balance between absolute security and usability" for the digital service, said Sun.

"However, we now recognise that this service could be and was exploited by malicious actors. A key problem is that there was criminal action. People gave up their Singpass account to be misused," said Sun.

Sun noted that the malicious actors used Singpass accounts, which had been relinquished as proxies, to initiate the change of address for another individual.

Sun said the use of one's NRIC issue date as one of the safeguards was "reasonable", but "proved not adequate" as malicious actors managed to obtain that information too.

13 suspects have been arrested in relation to the case.

Suspects changed 71 addresses, compromised 16 Singpass accounts

Sun disclosed that ICA has reviewed all electronic change of address applications made through the "Others" module since October 2020 when the eCOA service was launched.

ICA found that unauthorised changes took place only in recent months.

"From August 2024 onwards, the ICA has found that the suspects tried to change the registered addresses of 99 individuals. They succeeded in changing the addresses of 71 of the individuals," said Sun.

Sun noted that ICA has reached out to all 99 individuals to verify and restore the correct addresses.

ICA is also assisting them to replace their physical NRIC, which will have a new date of issue.

For the 71 individuals who had their addresses fraudulently changed, ICA is working with government agencies to assess the impact on them.

If there is any adverse impact on the calculation or disbursement of government benefits, such as CDC vouchers, agencies will provide the appropriate assistance and restoration, Sun said.

Govtech has since suspended the Singpass accounts of all 99 individuals to prevent unauthorised activity, and has also contacted them to reset and secure their Singpass accounts.

Sun said that for 16 of these individuals, the suspects also went on to take over their Singpass accounts.

The suspects did so by resetting the Singpass account password and requesting a physical PIN mailer to be sent to the newly registered address.

Sun said the Singapore Police Force (SPF) is coordinating with government agencies and private entities to stop or reverse any fraudulent activity as a result of the 16 compromised Singpass accounts.

If there have been monetary losses arising from the compromised accounts, police will work with agencies and financial institutions to remediate the losses wherever possible.

Why not suspend the service sooner?

Sun responded to a question from Tanjong Pagar GRC MP Joan Pereira on why ICA only suspended the eCOA service on Jan. 11, 2025 and not sooner.

Sun said that ICA had initially started investigating cases of unauthorised changes of address in September 2024, but the cases appeared unconnected.

Time was needed to investigate and triangulate information from the various reports made, said Sun.

By December 2024, ICA had uncovered how the unauthorised changes of addresses were effected and what they were used for, and was simultaneously reviewing the security of its eCOA service.

It decided to suspend the eCOA service on Jan. 11 after an "internal assessment", said Sun.

Sun admitted that ICA could have taken steps to suspend the service earlier in December 2024 when they had established the modus operandi (MO) of the perpetrators.

"But these are judgment calls that public officers have to make every day. The MHA is reviewing with ICA what lessons we can draw from this incident," said Sun.

Will govt review the change of address process?

Progress Singapore Party's Non-Constituency MP (NCMP) Hazel Poa asked Sun whether the government will send letters to both the new and old addresses upon a change of address, to verify the change.

Sun replied that mailers are currently only sent to the new address.

She reiterated that the ICA is still reviewing what would be the best way forward in order to safeguard its electronic services.

Poa also asked if the government would consider reinstating neighbourhood police posts (NPPs) as venues where residents could change their address.

SPF stopped offering this service in December 2020.

Sun noted that concerns had been previously been raised in parliament about manpower issues faced by the SPF, which led to the development of unmanned NPPs.

She said that those who walk into NPPs to change their address will be guided to visit ICA in-person.

Top image from MDDI/Youtube & ICA website

Follow us on Facebook, Instagram, Twitter and Telegram to get the latest updates.

  • image
  • image
  • image
  • image

MORE STORIES

Events