SINGAPORE — The data of some 4,000 individuals — including their names, email addresses, phone numbers and, in some cases, nationalities — that were stored on the Singapore Art Museum (SAM) website were exposed on an overseas website earlier this month, in the latest in a string of cyber breaches here in recent months.

The records were of individuals who had participated in the museum’s events in 2011 and this year and were illegally posted on an overseas data storage website (http://www.mega.co.nz) on Nov 5. TODAY understands the museum’s website is maintained by an external vendor.

In a statement yesterday, SAM said it was alerted of the breach by the Infocomm Development Authority the same day and immediately removed the data file from its website and went to the police.

The administrator of the overseas website was also notified and the page containing the data file was taken down within about two hours.

It is understood that the incident has hitherto not been classified as hacking while the police investigate the leak.

But a day prior to the breach, someone with the handle “CtrlSalad” had tweeted about possible data loss from Singapore, although it was not specified that the data was from SAM’s website.

When contacted, a police spokesperson said: “All possibilities are being investigated and we are working with SAM and the National Heritage Board (NHB) to review and gather relevant evidence.”

As for the delay in revealing the breach, SAM said the agencies were establishing the extent of the incident.

“The investigations are still ongoing, but we believe it is necessary to explain what happened as personal data had been compromised,” it added. It has contacted the affected individuals and apologised to them.

All data that are not required on SAM’s website have since been removed and additional safeguards are being put in place. These include conducting more regular vulnerability scanning of servers and applications.

Mrs Rosa Daniel, Chief Executive Officer of the NHB, said the focus now is on the affected subscribers and the stepping-up of security measures.

“We take a very serious view of this incident. What this incident has pointed to is the need for us to be constantly vigilant and to take strong measures to safeguard our information,” said Mrs Daniel, who is also Deputy Secretary (Culture) at the Ministry of Culture, Community and Youth.

Media lawyer Bryan Tan, a partner at Pinsent Masons, said the affected individuals may be able to sue on grounds of negligence, with the liability falling on the party controlling the data.