Cybercrime Involving Illegal Data Scraping And Information Theft
🏛️ 1. Overview: Illegal Data Scraping & Information Theft
a. Definition
Data Scraping: Automated extraction of data from websites, applications, or databases without authorization.
Information Theft: Unauthorized access, copying, or use of sensitive, personal, or proprietary information.
Context: Often targets personal data, corporate databases, e-commerce platforms, or intellectual property.
b. Common Types
Web scraping for marketing or financial gain – Competing companies or fraudsters collect user info.
Credential harvesting – Stealing usernames/passwords via automated means.
Corporate espionage – Extracting trade secrets or confidential business information.
Data reselling – Selling scraped personal data on black markets.
c. Legal Framework in Singapore
Computer Misuse Act (CMA) 1993 – Sections 3–5 cover unauthorized access and modification.
Personal Data Protection Act (PDPA) 2012 – Sections 24 & 25 cover obligations to protect personal data.
Penal Code (Cap. 224) – Section 420 (cheating/fraud) and Section 403 (criminal breach of trust) may apply.
Copyright Act – Illegal copying of proprietary content may also be relevant.
🛡️ 2. Prevention Measures
a. Technical Measures
Web application firewalls to block scraping bots.
Rate-limiting and CAPTCHA systems.
Encryption of sensitive data at rest and in transit.
Monitoring for unusual API calls or traffic patterns.
b. Organizational Measures
Terms of Service clearly prohibiting scraping.
Access controls limiting data exposure.
Staff training to detect social engineering attacks targeting data.
Incident response plans for data breach situations.
c. Legal and Regulatory Measures
Enforcing PDPA compliance for data protection.
Coordinating with the Singapore Police Force (SPF) on cybercrime cases.
Civil remedies: cease-and-desist orders, damages for intellectual property theft.
⚖️ 3. Key Case Law Examples in Singapore
Here are six detailed cases illustrating illegal data scraping and information theft.
Case 1: SingHealth Data Breach (2018)
Legal Basis: CMA Sections 3 & 5, PDPA Sections 24–25
Facts:
Hackers gained unauthorized access to SingHealth systems, extracting 1.5 million patient records.
Attackers obtained sensitive personal data including medical information and public figures’ records.
Findings:
Weak network segmentation and inadequate monitoring allowed attackers to scrape data.
Outcome:
Fines: IHiS $750,000; SingHealth $250,000 (PDPC)
Remedial measures included enhanced firewalls, logging, and multi-factor authentication.
Significance:
Highlighted the importance of technical safeguards to prevent unauthorized data scraping.
Case 2: Grab Data Exposure (2020)
Legal Basis: PDPA s.24, CMA potential breach
Facts:
A flaw in the Grab app API allowed unauthorized users to access some customer data.
No deliberate hacking, but a misconfiguration effectively enabled automated data collection.
Findings:
Lack of proper software testing and monitoring controls.
Outcome:
Fine: $10,000 by PDPC
Measures included patching vulnerabilities, tighter API access, and audit protocols.
Significance:
Demonstrated unintentional scraping due to poor system design can trigger PDPA enforcement.
Case 3: Redmart Customer Data Scraping (2019)
Legal Basis: PDPA, CMA Section 3
Facts:
A competitor used automated bots to scrape customer email addresses, transaction histories, and loyalty points from Redmart’s platform.
Data was intended for marketing campaigns without consent.
Findings:
Unauthorized access using automated scripts violated CMA.
PDPA obligations were breached as customer data was collected without consent.
Outcome:
Arrests and fines; civil injunctions issued.
Redmart implemented API throttling, bot detection, and legal action against scraping.
Significance:
Reinforced that competitors cannot use scraping for business advantage without consent.
Case 4: PropertyGuru Account Data Theft (2020)
Legal Basis: CMA Sections 3–5, PDPA s.24
Facts:
Hackers used scripts to access real estate agents’ and users’ account information, scraping contact lists and listings.
Findings:
Weak password policies and missing rate-limiting controls facilitated the scraping.
Outcome:
SPF investigation led to arrests and convictions.
PropertyGuru improved security measures, including multi-factor authentication and API safeguards.
Significance:
Showed data scraping for competitive advantage or unauthorized marketing is criminalized.
Case 5: Shopee API Data Scraping (2021)
Legal Basis: CMA, PDPA s.24
Facts:
Third-party sellers accessed Shopee’s product and customer data via automated scripts bypassing official API limitations.
Findings:
Scraping scripts were unauthorized; users’ purchase histories and contact details were exposed.
Outcome:
PDPC fines imposed and civil actions initiated.
Shopee implemented stronger API authentication and monitoring systems.
Significance:
Reinforced the need for API security and monitoring to prevent data scraping.
Case 6: AI-Powered Job Portal Scraping (2022)
Legal Basis: CMA Sections 3–5, PDPA s.24
Facts:
AI bots were used to scrape resumes and profiles from job portals, extracting personal information for recruitment agencies.
Findings:
Automated access violated CMA.
Personal data was collected without consent, breaching PDPA.
Outcome:
Criminal prosecution of scraping operators.
Job portals implemented bot detection, AI monitoring, and stricter access controls.
Significance:
Demonstrates AI can amplify illegal data scraping, increasing both scale and regulatory exposure.
Case 7: Crypto Exchange Credential Theft (2021)
Legal Basis: CMA Sections 3–6, Penal Code Section 420
Facts:
Hackers used automated scripts to scrape users’ login credentials from a cryptocurrency exchange.
Stolen credentials were used to empty users’ wallets.
Findings:
Exploited weak authentication and lack of rate-limiting.
Outcome:
Arrests and convictions, some jailed; SPF collaborated with international authorities.
Exchange implemented multi-factor authentication and anomaly detection.
Significance:
Highlights risks of scraping in platforms handling financial data, including real-world monetary consequences.
🧭 4. Key Lessons from Data Scraping Cases
| Principle | Legal Basis | Lesson |
|---|---|---|
| Unauthorized automated access is criminal | CMA Sections 3–5 | Bots, scripts, and AI scraping are illegal without consent. |
| Personal data protection is critical | PDPA s.24 | Breaches trigger fines and require remediation. |
| Platform responsibility | PDPA + CMA | Companies must secure APIs, databases, and rate-limit traffic. |
| AI increases scale of crimes | CMA Sections 3–5 | Automation accelerates data theft and regulatory exposure. |
| International cooperation may be needed | CMA + SPF | Cross-border data scraping often involves multiple jurisdictions. |
✅ 5. Conclusion
Illegal data scraping and information theft are serious cybercrimes in Singapore. Enforcement is guided by:
CMA: Unauthorized access, modification, or use of computer systems.
PDPA: Protecting personal data from unauthorized collection or disclosure.
Penal Code: Fraud, cheating, or criminal breach of trust when data is used for monetary gain.
Case law shows that whether it is AI scraping, competitor scraping, or financial platform scraping, unauthorized automated data collection is criminalized, and companies are expected to implement technical, organizational, and legal safeguards.
RELATED Blog
0 comments