The personal details more than 850 national servicemen and employees of Singapore's Ministry of Defence (Mindef) were stolen in a "targeted and well-planned" cyberattack earlier this month, the government department confirmed on Tuesday (28 February).
The breach, which was discovered in early February, hit an internet-connected Mindef system called I-net, which is a series of computer terminals used by its personnel to access the web while working in Singapore Armed Forces (SAF) camps.
The stolen information was basic, largely consisting of data used for general account management, but still enough to cause concern within military circles.
It included National Registration Identity Card numbers, telephone numbers and dates of birth.
No classified military information was hacked in the breach because this is stored on a separate system that is not connected to the web. According to The Straits Times, some experts said the incident may have been state-sponsored.
In briefings reported by local media, Mindef officials said the cyberattack was remote and did not originate from inside an SAF camp.
David Koh, Mindef's deputy secretary for technology who also heads up the nation's Cyber Security Agency, told ChannelNewsAsia: "The attacks were targeted and well-planned. Based on our investigations, they were not the work of casual hackers or criminal gangs."
He maintained the physical separation of I-net from the internet stopped any secrets being leaked to the hackers. He said: "Mindef adopts a multilayer approach to security. The attacker only breached the outer layer but did not go deeper into classified systems.
"It's no secret that government agencies, including Mindef, are prime targets, and we are under constant cyberattack. Because of this we need to continually be vigilant and improve our cyber-defences so that we remain resilient against cyberattacks."
The ministry said the breach was not reported at the initial time of discovery as a thorough investigation had to take place to assess its systems for other potential vulnerabilities. After the attack, it warned other agencies about the hack so they could check their own networks.
Mindef officials are still in the process of contacting all military personnel and employees who had their data compromised. It said password changes will be enforced and anyone victimised by the hackers will be advised to report any further suspicious activity on their accounts.
Singapore has been hit with hacking incidents in the past. In 2013, hackers aligned with the Anonymous collective targeted a slew of government websites. Later, a court jailed a man called Mohammad Azhar bin Tahir for attacking the website of the country's prime minister, Lee Hsien Loong.
The separation of internet access from government employees is becoming a popular policy in Singapore. In June 2016, the Infocomm Development Authority disconnected more than 100,000 computers used by civil servants in the country.
The move, it said at the time, was a way to bulk up network security and reduce the chance of being impacted in a widespread cyberattack.