Advertisement

Loophole in State Courts system allowed unauthorised access to 223 e-case files

The court was first alerted on 1 November, 2018, about a possible vulnerability in its Integrated Criminal Case Filing and Management System. (Yahoo News Singapore file photo)
The court was first alerted on 1 November, 2018, about a possible vulnerability in its Integrated Criminal Case Filing and Management System. (Yahoo News Singapore file photo)

Over 220 case files hosted on the State Courts’ electronic management system were accessed without authorisation via “a loophole” in the system, said the courts on Wednesday (28 November).

In a press release, the courts said they were first alerted on 1 November about a possible vulnerability in its Integrated Criminal Case Filing and Management System (ICMS). The ICMS is an electronic case management system used by the State Courts for the conduct of criminal proceedings.

Following investigations, 223 e-case files were found to have been accessed without authorisation via a loophole in the system, allowing them to view court documents in other e-case files, the courts added.

Responding to queries from Yahoo News Singapore, the State Courts said that “up to nine may have obtained unauthorised access to court documents in the ICMS”.

All affected files were hosted on the ICMS’ Accused Person access portal, which can be accessed only by accused persons with a valid account through SingPass authentication.

Launched in 2013, the ICMS is used by law firms, law enforcement agencies, accused persons and selected local media outlets.

No tampering of files found

“Immediate steps were taken to fix the vulnerability. The e-case files had not been tampered with, and the integrity of ongoing proceedings was not affected,” said the State Courts.

The State Courts stressed that they take a “serious view” of any unauthorised access to information in their case management systems and have reported the matter to the police.

“As of 9 November 2018, the State Courts and their system vendor, Ecquaria Technologies Pte Ltd, have implemented additional measures to protect the security and confidentiality of the information in the ICMS by enhancing the user access controls within the system,” said the State Courts.

Police investigations are ongoing and letters have been sent out to those affected by the unauthorised access.

The State Courts have also set up a dedicated e-mail address (query@statecourts.gov.sg) and hotline (64355651) to handle queries pertaining to the incident.

This incident comes five months after a cyberattack on SingHealth’s database, which saw the personal particulars of about 1.5 million patients – including that of Prime Minister Lee Hsien Loong – being illegally accessed in the nation’s largest-ever data breach.

More Singapore stories:

SingHealth cyberattack: Singapore government reported incident in ‘remarkably’ short time

SingHealth cyberattack: Malware used was initially thought ‘benign’ by antiviral experts

SingHealth cyberattack: Database administrator did not immediately recognise ‘serious security incident’