API-related data breaches in the Singapore data protection landscape

What is an API?

An Application Programming Interface (“API”) facilitates the transmission of data between two or more applications. It acts as an interface from one application to another. More technically, an API receives queries from external applications and provides responses based on pre-defined protocols. APIs allow applications to work together without the developer needing to understand the internal workings of the other application.

In our increasingly digitised world, APIs are not only commonplace, but lie at the heart of what powers the web and mobile servers, systems and applications we use every day, from cloud services like Microsoft 365 and Amazon Web Services, to client applications like Google Chrome, WhatsApp or Instagram and even the SingaporeAir mobile app.

However, APIs pose a security challenge in that they can be exploited to provide a hacker with access to data that the application’s developer never intended to provide and with the ability to disrupt systems and services in unauthorised ways.

The Cyber Security Agency of Singapore (“CSA”) has published several advisories, alerts, media releases and general resource articles on APIs. In some of these publications, the CSA has actively advised on critical vulnerabilities in the APIs present in products from global heavyweights in software development, including VMWare, Juniper Networks, Palo Alto Networks and SAP. This is consistent with the CSA’s position that organisations should ensure that APIs will not compromise their servers’ security.

The CSA stated in its advisory of 19 October 2022 that an “exponential increase in the use of APIs widens the attack surface area. APIs are also the most commonly exposed component of a system.” This was echoed in its CyberSense article of 31 March 2023 on mitigating risks relating to APIs in cloud technology, where it reiterated that “without proper API management in place, cloud APIs can inadvertently increase the attack surface and be exploited as an unauthorised entry point into an organisation’s network and databases that are hosted on the cloud.”

The Open Web/Worldwide Application Security Project (“OWASP”) is a community-driven global, non-profit foundation dedicated to improving web application security, best known for “the OWASP Top 10” – a regularly-updated list of the most pressing web application security concerns that is published once every four years (the next list is due to be published this year). In 2023, OWASP also compiled a list of 10 of the top most critical security risks facing APIs to assist organisations in tackling common vulnerabilities.

API security is indisputably critical, as APIs are a common target for attacks by threat actors. In this context, the data sharing that APIs enable is of utmost concern as a data protection risk, as APIs are portals to databases that contain personal data. Any unauthorised access to data will be considered a data breach event that could trigger mandatory breach notification to, and investigations and enforcement action by the Personal Data Protection Commission (“PDPC”) under the Personal Data Protection Act 2012 (“PDPA”).

Voluntary undertakings involving APIs

The three data breaches involving APIs that resulted in the relevant organisations providing voluntary undertakings all occurred in 2024 (and the voluntary undertakings were made in 2025):

Tech in Asia – 22 August 2025
Poh Heng Jewellery Pte Ltd – 2 January 2025
MISC Group Pte Ltd – 6 September 2025.

These incidents have involved the exploitation of: (i) vulnerabilities in API keys and integration credentials hardcoded into source code; (ii) a legacy public-facing API endpoint that lacked the logic and ability to verify authorisation token permissions; and (iii) a publicly accessible API Uniform Resource Locator (“API URL”) linking to a website hosted on a cloud server.

Some of the actions these organisations have undertaken to implement include enabling a secret key on the API URL to prevent public access, reviewing restrictions on other server access keys, initiating rate limiting and alert systems for API requests, introducing an API gateway for centralised API management, enhancing development code review, and multifactor authentication.

PDPC decisions involving APIs

There has been a sizeable number of published PDPC decisions involving APIs:

Re Ezynetic Pte. Ltd. [2025] SGPDPCS 2 (“Ezynetic”)
Re Carousell Pte. Ltd. [2023] SGPDPC 13 (“Carousell”)
Re PINC Interactive Pte. Ltd. [2022] SGPDPC 1 (“PINC”)
Re Quoine Pte Ltd [2022] SGPDPC 2 (“Quoine”)
Re Lovebonito Singapore Pte. Ltd. [2022] SGPDPC 3 (“Lovebonito”)
Re Redmart Limited [2022] SGPDPC 8 (“Redmart”)
Re Singapore Telecommunication Limited [2020] SGPDPC 13 (“Singtel 2020”)
Re Grabcar Pte Ltd [2020] SGPDPC 14 (“Grabcar”)
Re Singapore Telecommunications Limited [2019] SGPDPC 36 (“Singtel 2019”).

While a majority of these decisions were handed down in 2022, the data breaches they address appear to have been concentrated in 2019 and 2020. The most recent Ezynetic data breach was notified to the PDPC in 2024, and the Carousell data breach that preceded it was a 2022 event.

Conclusion

Given the prevalence of API usage in our connected world, the risk of API-related data breaches is far from remote. It is essential for organisations to prioritise the management and mitigation of the security risks posed by APIs as part of their data protection obligations. Risk assessment should be multi-layered, taking into account all possible vulnerabilities by providing for (non-exhaustive) access restrictions, input validation, both authentication and authorisation, data encryption both in transit and at rest, regular patching, periodic security audits, and consistent monitoring of API activity for anomalies.

Kennedys regularly advises on cyber incidents (acting in the capacity of incident response manager and legal advisor) and data protection laws in Singapore and worldwide. If you require any assistance in this regard, please contact the authors.