[SingCERT] Protecting your Personal Data

Published on Monday, 22 September 2014 10:33

[ Background ]

A group, by the name of “The Knowns”, posted the personal data of customers from a Singapore company online to express their displeasure over recent policy changes.

[ Recommendations ]

For public users concerned about potential leakage or misuse of personal data, you’re advised to report the loss of personal data to Personal Data Protection Commission (PDPC) via telephone call (6377 3131) or via email (info@pdpc.gov.sg).

General advice for all users:

  1. When signing up for a service online, you may be requested for some personal information. Always review the application form before giving away your information. Users should not sign up for a service if it requests for too much personal information or information that may seem irrelevant to the purchase or application of the service.
  2. Be alert when opening emails. Data leakage is often a result of spam emails being sent to affected users and may contain malicious links or attachments. Users are advised not to open such attachments or click on such links.
  3. Change your passwords regularly and avoid using the same one for different services and applications. A strong password can significantly deter the loss of personal data online. Users may refer to Go Safe Online on the creation of a strong password.

For businesses to take note to prevent such occurrences:

  • Conduct regular vulnerability assessments and penetration tests on the web applications.
  • Promptly patch the vulnerabilities found in the web applications.
  • Validate the inputs for each of the field.
  • Deploy a web application firewall to protect the web application against known threats.
  • Add random data (salt) to the password and hash the salted password before writing it to the database.
  • Keep the database server and the web server separate.
  • Only store the required information in the database.
  • Encrypt the database where possible and implement SSL to encrypt the network communications to mitigate data theft.

[ References ]

For businesses: