Oral Reply by Minister for Transport Khaw Boon Wan to Parliamentary Question on The Preparedness of our Local Airlines in the event of a Cybersecurity Breach

Mr Saktiandi Supaat asked the Minister for Transport in light of the recent British Airways data breach

a.     whether local airlines are knowledgeable about such data breaches;

b.     whether there have been any hacking attempts in the past three years;

c.     how are local airlines working with other international airlines and relevant authorities to safeguard the information of local and international passengers; and (d) whether existing air passenger protection legislation can be beefed up to protect passengers' rights in the event of a cybersecurity breach.

Reply by Minister for Transport Khaw Boon Wan:

1.     The recent British Airways (BA) data breach and the SingHealth cyberattack are sharp reminders that with greater adoption of digitalisation, all industries face cybersecurity threats.  Our operating assumption is that our airlines will be targets, and they must do their best to protect themselves against such threats, and have a robust plan to prevent, detect, and recover should an attack succeed.  They must also exercise their plan regularly so that all staff are fully aware of such a threat and take it seriously.

2.     The Civil Aviation Authority of Singapore (CAAS), as the cybersecurity lead for the aviation sector, works closely with Singapore carriers to strengthen their cybersecurity capabilities.  CAAS also regularly shares cybersecurity-related information, including from Cyber Security Agency (CSA), and best practices with them, and conducts joint cybersecurity exercises.

3.     The Singapore carriers’ approach includes safeguarding their systems to prevent, detect, and respond to hacking attempts and mitigate the potential impact.  They monitor cyber threats through their Security Operations Centres, and carry out regular testing of their websites for vulnerabilities and screening for malicious web traffic.  They also closely monitor reports of breaches, and collaborate with others on cybersecurity. They are part of the Aviation Information Sharing and Analysis Center (ISAC), a non-profit organization that fosters sharing of information on physical and cyber threats to aviation and best practices on mitigation, and participate in the Cybersecurity Workgroup under the International Air Transport Association (IATA).

4.     With respect to the security of passenger data, Singapore carriers are also required to comply with the Personal Data Protection Act and the data protection regulations of other States which they fly to.

5.     As regards the BA data breach, the investigation is still ongoing. As a precaution, SIA has performed checks and confirmed that there are no unauthorised codes on its payment webpage. SIA is mindful that sophisticated attackers will continue to probe for vulnerabilities, and will remain vigilant and conduct regular checks and penetration tests on all scripts on its website. It will also continue to observe stringent data security standards for credit card payment processing.