Three hacked SingPass accounts used for fraudulent work pass applications

SINGAPORE — Three of the 1,560 compromised SingPass accounts were used to make six fraudulent work pass applications, authorities said today (July 4).

“Upon discovery of the fraudulent applications, MOM immediately cancelled the work passes. MOM has also put in place additional measures to strengthen and further safeguard its work pass transactions,” said the Ministry of Manpower (MOM) and Infocomm Development Authority of Singapore (IDA) in a joint statement. The matter has been referred to the Police.

About a month ago, the IDA made public that 1,560 accounts were cracked. These users’ account profiles were illicitly updated to be tied to a disproportionately small pool of Singapore-registered mobile numbers. Among the affected users, 419 accounts had their passwords successfully reset without their permission.

The IDA is currently enhancing the SingPass system, which will be ready by the third quarter of next year.

It is also looking into allowing users to set their own user names in the enhanced SingPass system, instead of using NRIC numbers. Other measures, such as second-factor authentication (2FA) for e-government transactions, will be introduced.

“In the meantime, SingPass users are encouraged to strengthen their passwords to ones that are alphanumeric with 8-24 characters, preferably with capital letters and symbols, to better protect their SingPass accounts,” said the MOM and IDA.