about

Antihack Blog

223 State Courts Online Case Files Accessed Without Authorisation Due To Loophole

24 Jan 2019



SINGAPORE: Electronic case files in the State Courts' online management system were viewed by up to nine unauthorised people who exploited a loophole in the system, the courts said in a statement on Wednesday (Nov 28).


This was the first time that the State Courts had encountered such an incident, a spokesman said in response to media queries.

The Integrated Criminal Case Filing and Management System (ICMS) is a system used to document criminal cases.

The State Courts were alerted to a possible vulnerability in the system on Nov 1.


A total of 223 electronic case files were accessed over the course of the year (2018). Most of them (89 per cent) were concluded cases, while the rest were ongoing cases.


Data accessed from the files included names, personal identity information, addresses, gender of the accused, information about the offences, as well as the status of the case. 


"Immediate steps were taken to fix the vulnerability," said the State Courts. "The e-case files had not been tampered with, and the integrity of ongoing proceedings was not affected."


The type of cases accessed by the individuals included criminal cases, coroner's inquiries, magistrate's complaints and a youth court case.


"Our review suggests that this is not a hacking incident and we do not currently have reason to believe that the unauthorised access activities were coordinated," said the State Courts spokesman. The vulnerability was not found in its other online case filing management systems.


ICMS is used by lawyers, the media and accused persons, with different layers of access for each group of users. While the State Courts did not have information on the number of ICMS users, the spokesman said there were about 190,000 cases in the system as of Nov 19.


Those who have been accused of crimes can access the ICMS Accused Person portal with a valid account through SingPass authentication. Preliminary findings show that a few such accused persons exploited a loophole in the ICMS system which allowed them to view court documents in other e-case files.


While the State Courts did not elaborate on what the loophole was, the spokesman said it was patched to prevent unauthorised access to court documents within 12 hours of being alerted to it. They also reported the matter to the police. 


Along with their system vendor Ecquaria Technologies, the State Courts implemented additional measures to protect the security and confidentiality of the information in ICMS by enhancing user access controls within the system. Investigations by the police are ongoing and letters have been sent to all parties affected.


The State Courts said they have set up a dedicated email (query@statecourts.gov.sg) and hotline (6435 5651) to address queries.

They said that they take a serious view of any unauthorised access of information in their case management systems and will do what is necessary to prevent similar incidents from occurring.


SOURCE: https://www.channelnewsasia.com/news/singapore/223-state-courts-online-case-files-accessed-without-10976490

Share this link:

https://www.antihack.me/blog/223-state-courts-online-case-files-accessed-without-authorisation-due-to-loophole