DataCenterNews Asia Pacific - Specialist news for cloud & data center decision-makers
Asia
Singapore warnings on identity gaps after breaches

Singapore warnings on identity gaps after breaches

Fri, 10th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Keeper Security executive Takanori Nishiyama has warned that recent regulatory moves and high-profile breaches in Asia are exposing deep gaps in how organisations manage identity, access and third-party risk. He pointed to developments in Singapore and Japan as signs of rising pressure on both infrastructure operators and data-rich businesses.

Singapore's proposed Digital Infrastructure Bill has drawn particular attention. The draft legislation would allow regulators to classify major data centres and cloud providers as critical national infrastructure, placing them alongside sectors such as energy, water and healthcare under cyber resilience obligations. The move reflects a broader regulatory shift in Asia towards systemic technology risk.

Nishiyama said the planned Singapore regime comes as organisations face mounting pressure from emerging technologies and long-standing architectural weaknesses.

"Singapore's proposed Digital Infrastructure Bill is a signal the region cannot afford to ignore. With potential fines of up to $1 million for cybersecurity and resilience failures, the bill is seeking to designate data centres and cloud providers as critical national infrastructure, alongside power grids, water systems and health care providers. The bill arrives at a time when frontier AI is accelerating attacks against public infrastructure systems and advancements in quantum computing are compressing the window organisations have to prepare for harvest-now, decrypt-later attacks targeting long-lived data. Traditional perimeter defences were never designed for either. Keeper Security's 2026 research found 46% of APAC security leaders point to cloud security gaps, including misconfigurations and excessive permissions, as their biggest security weakness, 12 points above the global average. Just 38% reported privileged access management as fully deployed in their organisations. That gap between regulatory ambition and operational reality is where the next wave of incidents is likely to originate. Compliance in the region is moving beyond a paperwork exercise. Organisations should start by mapping which systems and vendors actually engage with sensitive or long-lived data, enforce least-privilege access so a single compromised credential cannot move laterally across environments, and build continuous session visibility rather than relying on periodic audits. Data centres, like any critical infrastructure, must be built to contain compromise, not simply to prevent it," said Takanori Nishiyama, Senior Vice President APAC and Country Manager, Japan, Keeper Security.

As Singapore weighs tougher rules for operators, recent breaches across the region show how attackers exploit identity and access weaknesses inside existing environments. Aflac Life Insurance Japan disclosed that an unauthorised party accessed its policyholder website and related systems. The incident exposed personal data belonging to about 4.38 million customers, including some banking details and sales agent contacts.

Nishiyama said the Aflac case shows how misuse of legitimate accounts has become the dominant pattern in large data thefts.

"The most common entry point for large-scale breaches today is no longer forced intrusion, but the misuse of legitimate access. Verizon's 2026 Data Breach Investigations Report found that credential abuse remained the most pervasive technique overall, present in 39% of breaches across the full attack chain. Identity has quietly become the primary attack surface for organizations that hold sensitive customer data. The Aflac Japan incident reflects that shift. A single account traversed an extraordinary volume of customer records over 11 days, until a spike in processing load surfaced the activity. The lesson lies not only in how access was obtained, but in how long anomalous behavior went unobserved. Every second of undetected access compounds the potential harm, turning a contained incident into a systemic breach. This pattern is not unique to Aflac or to Japan. Japan's Personal Information Protection Commission recorded 19,056 data-incident reports in the fiscal year ending March 2025, a 57% increase and record high. Costs are following the same trajectory: IBM's Cost of a Data Breach Report 2025 put the average breach across ASEAN economies at USD 3.67 million, a 14% rise to a record high, a trend that reflects the broader regional direction. To close this gap and enhance overall cybersecurity posture, zero-trust principles and least-privilege access are imperative. Organisations that have not yet deployed a privileged access management platform are operating with a significant detection gap. By securing privileged accounts, enabling real-time session monitoring and enforcing least-privilege access controls, organizations reduce the risk of credential theft, privilege misuse and unauthorized access that leads to damaging breaches. Applied consistently, this approach shortens the window an attacker has to work in, turning an 11-day intrusion into one detected within hours," said Nishiyama.

Supply chain exposure has also come under scrutiny after the Singapore Land Authority reported that personal data on 70,000 people was compromised in a breach involving vendor IBM. The incident originated in a dataset created for development and testing that later came to contain real identity and property records and was then accessed without authorisation.

Nishiyama said the SLA case highlights how third-party access paths and non-production environments can conceal critical weaknesses in data governance.

"The Singapore Land Authority breach is a reminder that third-party access, not just third-party data, is where supply chain risk actually lives. A dataset created in 1998 for development and testing purposes was never meant to hold real NRIC numbers, names and property addresses. The gap between intended data classification and actual data content is the kind of blind spot that persists for years inside vendor-managed environments, because nobody is continuously verifying what's actually there or who can access it. Singapore has the highest rate of third-party breaches globally and this incident encapsulates that familiar pattern, with a supplier holding access to systems or data far broader than the task requires. That access sits largely unmonitored until something goes wrong. Development and testing environments are routinely treated as lower risk than production yet they often contain equally sensitive data with far weaker controls around it. Organisations cannot afford to outsource accountability for how vendors access their systems. Least-privilege policies, time-bound Just-in-Time access and full session visibility should apply to every supplier connection, including development environments, not just production. If a vendor's access to a dataset cannot be justified, monitored and revoked on demand, that access itself is a vulnerability. As Singapore's amended Cybersecurity Act extends reporting obligations to supplier-linked incidents, organisations must treat third-party access governance as a continuous discipline, rather than a contractual assumption, and act on that now," said Nishiyama.