Daily News

Singapore MRT Contractor Hit by Cyberattack—and the Real Problem Is What It Reveals

Because Third-Party Cyber Risk in Critical Infrastructure Is Not a Theoretical Concern But a Very Real Risk

A cybersecurity incident at a contractor building three Jurong Region Line MRT stations and the new Changi NEWater Factory 3 has exposed a risk that security experts have been warning about for years: when a contractor is breached, the organisations they serve are only as secure as the access controls they put in place before the cyberattack happens.

Shanghai Tunnel Engineering Co (Singapore)—the civil engineering and construction firm awarded a USD $465.2 million contract in 2019 to design and build Choa Chu Kang, Choa Chu Kang West, and Tengah stations for the JRL, as well as a 4.3km viaduct connecting them—confirmed on 28 April 2026 that it had recently identified a cybersecurity incident and taken immediate steps to contain the situation. The company did not state when the incident occurred.

Data relating to both the JRL stations and the Changi NEWater Factory 3—a $205 million project Shanghai Tunnel entered through a joint venture with Sanli M&E Engineering in February 2026—was compromised. The extent of the compromise remains under investigation.

What the Authorities Say About the Cyberattack

Singapore’s Land Transport Authority (LTA) confirmed it was aware of the cyberattack, which has since been reported to the police and relevant authorities. As a precautionary measure, LTA temporarily suspended the contractor’s access to its digital systems. Ongoing construction of the MRT line, the authority confirmed, has not been affected.

PUB, Singapore’s national water agency, said Shanghai Tunnel has no access to its own digital systems. Its investigation found that no sensitive data pertaining to the Changi NEWater Factory 3 had been stolen—the compromised data consisted of project tender documents, which are publicly available on the government procurement portal GeBIZ.

“We take a serious view of cybersecurity,” a PUB spokesperson said, adding that the agency has reminded the contractor to review its cybersecurity measures.

Shanghai Tunnel said it is working with an external cybersecurity specialist to support its investigation. “We are cooperating fully with the relevant authorities and kindly request that all parties allow the investigation to proceed without interference,” the company said.

Checks by local media, including on ransomware portals and hacker forums where stolen data is typically leaked, yielded no results.

The Deeper Problem

For Takanori Nishiyama, SVP for Asia Pacific at Keeper Security, the cyberattack is less a story about what was taken and more a story about how contractor access was governed in the first place.

“The cybersecurity incident at Shanghai Tunnel Engineering Co Singapore is a concrete illustration of a risk that critical infrastructure operators across APAC have been warned about repeatedly,” Nishiyama said. “A contractor with access to sensitive project environments becomes, by definition, an extension of the principal organisation’s attack surface. When that contractor’s systems are compromised, the question of what data was accessible matters far less than the question of how that access was governed in the first place.”

Nishiyama acknowledged the LTA’s immediate response but framed it as a lesson rather than a solution.

“The immediate response from the Land Transport Authority, suspending STECS’s access to its digital systems as a precautionary measure, is the right instinct. But that response being reactive rather than pre-emptive is itself the lesson,” he said. “Supplier access to critical infrastructure systems should not rely on suspension after an incident as its primary control. It should be governed continuously, with access scoped to defined roles, time-bound where possible and fully auditable throughout.”

The scale of the visibility gap across the region makes this particularly concerning. A recent Economist Impact research report on digital resilience in APAC found that only 22% of organisations in Singapore report having direct insight into the digital resilience capabilities of their suppliers and partners.

“That figure is a red flag given the scale of contractor interdependency in major public infrastructure programmes,” Nishiyama said.

His prescription for organisations managing complex, multi-year infrastructure programmes with multiple contractors and joint venture partners is direct. “Enforcing least-privilege access, continuously verifying identities, enforcing password rotation and time-bound access, and maintaining full session visibility across those relationships is not optional governance,” he said. “It is the operational baseline that determines whether a contractor incident stays contained or cascades.”

Context and What Comes Next

Shanghai Tunnel Engineering Co (Singapore) was established in 1996 and has worked on multiple MRT projects, including stations for the Circle, Downtown, and Thomson-East Coast lines. The Changi NEWater Factory 3, expected to be ready in 2028, replaces the plant in Bedok and will produce up to 50 million gallons of NEWater daily when operational.

The investigation is ongoing. The police have been notified. The contractor’s access to LTA’s systems remains suspended.

What the cyberattack already confirmed—before the investigation concludes—is that third-party cyber risk in critical infrastructure is not a theoretical concern. It is a present and active one. The question for every organisation running complex programmes through contractor networks is whether their access governance would contain an incident like this—or whether they would find out the hard way, the same way LTA did.

Martin Dale Bolima

Martin has been a Technology Journalist at Asia Online Publishing Group (AOPG) since July 2021, tasked primarily to handle the company’s Disruptive Tech Asia and Disruptive Tech News online portals. He also contributes to Cybersecurity ASEAN and Data&Storage ASEAN, with his main areas of interest being artificial intelligence and machine learning, cloud computing and cybersecurity. A seasoned writer and editor, Martin holds a degree in Journalism from the University of Santo Tomas in the Philippines. He began his professional career back in 2006 as a writer-editor for the University Press of First Asia, one of the premier academic publishers in the Philippines. He next dabbled in digital marketing as an SEO writer while also freelancing as a sports and features writer.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *