When news broke that Toppan Next Tech — a key print vendor for the Singapore Police Force, DBS Bank, Bank of China, and the Elections Department — had suffered a ransomware attack, it sent ripples through Singapore’s public and private sectors.
Although the breach did not affect general election operations, the personal data of citizens, including names and addresses, was believed to have been compromised in April. These leaked details are a gold mine for scammers seeking to craft highly believable social engineering attacks. In 2024, scam victims in Singapore reportedly lost a record US$1.1 billion, and more than three in four of them voluntarily transferred the money themselves. These scams are so psychologically effective that lawmakers have even empowered police to restrict banking access for victims who cannot believe they are being manipulated.
The harsh reality of this breach is that no organisation is immune to supply chain threats, especially when trust is outsourced. And when partners slip up, the everyday person pays the price. Regardless of an organisation’s size or sector, cybersecurity can no longer stop at the network’s edge.
Understanding the regional supply chain threat
Cybersecurity incidents happen more frequently than many organisations realise. According to ESET’s SMB Cybersecurity Report 2024, 65% of surveyed businesses in Singapore experienced a security breach or acted on signs of compromise in the past year. One of the leading causes was third-party vendor vulnerabilities, cited by 39% of respondents across APAC.
Managing risks from these third-party vendors, or supply chain risks, is challenging. Supply chains today aren’t just about physical goods; they encompass software providers, digital platforms, logistics firms, and service partners. Most rely on internet-facing systems, making them ripe targets for disruption. Supply chain threats range from ransomware to data theft, DDoS attacks, and business email compromise (BEC). By infiltrating one vendor, attackers can potentially reach hundreds of downstream clients.
While the specific attack methods used to steal data in Toppan’s care are still under investigation, similar patterns have been observed in recent incidents. The following are some of the supply chain attack vectors that cybercriminals may have exploited.
How cybercriminals exploit the supply chain
One growing tactic involves compromising proprietary or widely used third-party software. Cybercriminals insert malicious code into products that are later distributed to enterprise customers. The MOVEit file-transfer software incident is a prime example. Exploited via a previously unknown vulnerability, the breach led to data theft affecting hundreds of organisations, and by extension, millions of their customers.
At the same time, attacks on open-source ecosystems are increasing. Developers often rely on freely available open-source packages to accelerate development timelines, and this trust in the community is being weaponised. Malicious actors embed malware into open-source libraries, which then become part of production systems. Research from Sonatype’s State of the Software Supply Chain report suggests such attacks have surged by more than 600% in the past year alone.
Beyond technical exploits, social engineering continues to expose gaps in supplier relationships. BEC schemes have become more advanced, with fraudsters impersonating suppliers to deceive victims into transferring funds or releasing sensitive assets. According to ESET’s SMB Cybersecurity Report 2024, Singapore recorded the highest rate of BEC incidents in the region, with 34% of organisations reporting at least one case.
Credential theft and data exfiltration round out the major risks. Vendors such as law firms or IT service providers are often custodians of sensitive information, making them lucrative targets for attackers seeking to extract data for extortion or commercial gain. For example, a breach at IT vendor Ezynetic resulted in the leak of personal data from about 128,000 borrowers, including names, NRIC numbers, and loan details, underscoring how third-party compromises can expose highly sensitive information at scale.
Ransomware remains a constant across all these scenarios. According to ESET’s Threat Report H2 2024, the ransomware-as-a-service market expanded significantly after the disruption of major groups, lowering entry barriers and attracting more cybercriminals. As digital ecosystems grow more interconnected, supply chain integrity is no longer a peripheral issue; it lies at the heart of modern cyber risk.
Three steps for Singapore organisations to strengthen supply chain cybersecurity
To mitigate supply chain cyber risks, Singaporean organisations must adopt a prevention-first mindset.
- Strengthen supplier governance
Firms must apply rigorous oversight to their third-party ecosystem and fully understand their business dependencies. This means vetting vendors through recognised local and international certifications such as ISO/IEC 27001 and the Cyber Essentials Mark. Suppliers should have robust cybersecurity programs that cover detection, prevention, and response capabilities, and these expectations must be formalised in service-level agreements (SLAs), including clearly defined incident-reporting procedures, breach-notification timelines, and minimum security controls. SLAs help ensure accountability and alignment across all parties. - Secure the software supply chain
As organisations increasingly depend on open-source tools to accelerate development, they must also contend with the risks these components introduce. Organisations should consider using software composition analysis tools to identify and remediate vulnerabilities early in the development process. They should also extend this risk analysis externally and maintain an up-to-date inventory of vendors and digital dependencies, categorising them by data sensitivity and access levels, including any downstream suppliers they work with. Routine audits and verification against industry standards help close gaps across the supply chain before attackers can exploit them. - Enforce access controls and prepare for incidents
Adopting a zero-trust architecture is critical to limiting the blast radius of a potential breach. All external users and devices must be treated as untrusted by default, with continuous authentication and behaviour monitoring as standard. Multi-factor authentication should be a baseline requirement for all third-party access. At the same time, organisations must plan for worst-case scenarios. Running simulated cyberattacks that include third-party coordination can surface bottlenecks, clarify roles, and speed up containment when it matters most.
Prevention-first is the only path forward
We don’t wait for a fire to buy insurance, and likewise, we shouldn’t wait for a breach to secure our digital supply chains. Cybersecurity is no longer just about IT hygiene; it’s about business continuity, citizen trust, and resilience. With the right frameworks, smarter tools, and a prevention-first mindset, organisations across Singapore’s public and private sectors can better secure their supply chains and build the resilience needed to thrive in an increasingly digital-first world.
