Computer Misuse Act 1993
2020 REVISED EDITION This revised edition incorporates all amendments up to and including 1 December 2021 and comes into operation on 31 December 2021. Prepared and Published by THE LAW REVISION COMMISSION UNDER THE AUTHORITY OF THE REVISED EDITION OF THE LAWS ACT 1983 Informal Consolidation – version in force from 8/2/2024
An Act to make provision for securing computer material against unauthorised access or modification, for preventing abuse of the national digital identity service, and for matters related thereto. [3/2013; 9/2018] [Act 16 of 2023 wef 08/02/2024] [30 August 1993]
ARRANGEMENT OF SECTIONS PART 1 PRELIMINARY Section 1. Short title 2. Interpretation PART 2 OFFENCES 3. Unauthorised access to computer material 4. Access with intent to commit or facilitate commission of offence 5. Unauthorised modification of computer material 6. Unauthorised use or interception of computer service 7. Unauthorised obstruction of use of computer 8. Unauthorised disclosure of access code 8A. Disclosure of password, access code, etc., in relation to national digital identity service 8B. Supplying, etc., credential of another person 9. Supplying, etc., personal information obtained in contravention of certain provisions 10. Obtaining, etc., items for use in certain offences 11. Enhanced punishment for offences involving protected computers 12. Abetments and attempts punishable as offences PART 3 MISCELLANEOUS AND GENERAL 13. Territorial scope of offences under this Act 14. Amalgamation of charges 15. Jurisdiction of Courts 16. Composition of offences 17. Order for payment of compensation 18. Saving for investigations by police and law enforcement officers Section 19. Arrest by police without warrant 20. Amendment of Schedule The Schedule — Definitions relating to national digital identity service
This Act is the Computer Misuse Act 1993. [3/2013; 9/2018]
“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device, or a group of such interconnected or related devices, performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device or group of such interconnected or related devices, but does not include — (a) an automated typewriter or typesetter; (b) a portable hand-held calculator; (c) a similar device which is non-programmable or which does not contain any data storage facility; or (d) such other device as the Minister may, by notification in the Gazette, prescribe; “computer output” or “output” means a statement or representation (whether in written, printed, pictorial, graphical or other form) purporting to be a statement or representation of fact — (a) produced by a computer; or (b) accurately translated from a statement or representation so produced; “computer service” includes computer time, data processing and the storage or retrieval of data; “damage” means, except for the purposes of section 17, any impairment to a computer or the integrity or availability of data, a program or system, or information, that — (a) causes loss aggregating at least $10,000 in value, or such other amount as the Minister may, by notification in the Gazette, prescribe except that any loss incurred or accrued more than one year after the date of the offence in question must not be taken into account; (b) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment or care of one or more persons; (c) causes or threatens physical injury or death to any person; or (d) threatens public health or public safety; “data” means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer; “electromagnetic, acoustic, mechanical or other device” means any device, apparatus or program that is used or is capable of being used to intercept any function of a computer; “function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer; “intercept”, in relation to a function of a computer, includes listening to or recording a function of a computer, or acquiring the substance, meaning or purport thereof; “national digital identity service” has the meaning given by paragraph 1(1) of the Schedule; [Act 16 of 2023 wef 08/02/2024] “program or computer program” means data representing instructions or statements that, when executed in a computer, causes the computer to perform a function; [22/2017] [Act 16 of 2023 wef 08/02/2024] “user”, in relation to the national digital identity service, has the meaning given by paragraph 1(1) of the Schedule. [Act 16 of 2023 wef 08/02/2024]
(a) alters or erases the program or data; (b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held; (c) uses it; or (d) causes it to be output from the computer in which it is held (whether by having it displayed or in any other manner), and references to access to a program or data (and to an intent to secure such access) are to be read accordingly.
(a) causes the program to be executed; or (b) is itself a function of the program.
(a) is not himself or herself entitled to control access of the kind in question to the program or data; and (b) does not have consent to access by him or her of the kind in question to the program or data from any person who is so entitled.
(a) any program or data held in the computer concerned is altered or erased; (b) any program or data is added to its contents; or (c) any act occurs which impairs the normal operation of any computer, and any act which contributes towards causing such a modification is taken as causing it.
(a) is not himself or herself entitled to determine whether the modification should be made; and (b) does not have consent to the modification from any person who is so entitled.
(a) to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.
(a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer.
(a) the access mentioned in subsection (1) is authorised or unauthorised; (b) the offence to which this section applies is committed at the same time when the access is secured or at any other time.
(a) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
(a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer.
(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service; (b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electromagnetic, acoustic, mechanical or other device; or (c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b), shall be guilty of an offence and shall be liable on conviction — (d) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (e) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
(a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer.
(a) interferes with, or interrupts or obstructs the lawful use of, a computer; or (b) impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer, shall be guilty of an offence and shall be liable on conviction — (c) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (d) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
(a) for any wrongful gain; (b) for any unlawful purpose; or (c) knowing that it is likely to cause wrongful loss to any person.
(a) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
(a) who discloses any password or access code of the user in relation to the national digital identity service, or provides any other means of securing access in the identity of the user to any program or data held in any computer by way of the national digital identity service; and (b) who does so knowing, or having reasonable grounds to believe, that the purpose of the disclosure or provision is for any person to commit, or to facilitate the commission by any person of, any offence under any written law, shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.
(a) that the purpose of committing, or facilitating the commission of, an offence was carried out; (b) that the user knew, or had reasonable grounds to believe, that the purpose was to commit, or facilitate the commission of, any specific offence; or (c) that the disclosure or provision was made to any specific person, if the disclosure or provision was made by the user in a manner that was intended to be accessible or retrievable by another person, whether or not that other person is known to the user.
(a) the user does the act for any gain — (i) whether or not the gain is a wrongful gain; (ii) whether or not the gain is realised; and (iii) whether the gain is to the user or to another person; (b) the user does the act knowing that it is likely to cause wrongful loss to any person; or (c) at the time the user does the act, the user fails to take reasonable steps to ascertain the identity and physical location of the person to whom the password, access code or means of securing access is disclosed or provided.
(a) obtains or retains any credential of another person in relation to the national digital identity service; or (b) supplies, offers to supply, transmits or makes available, by any means, any credential of another person in relation to the national digital identity service.
(a) for use in committing, or in facilitating the commission of, any offence under any written law; (b) for the supply or transmission of, or making available, by any means, the credential to be used in committing, or in facilitating the commission of, any offence under any written law.
(a) the person did the act for a purpose other than for the credential of the other person to be used in committing, or in facilitating the commission of, any offence under any written law; and (b) the person did not know or have reason to believe that the credential of the other person will be or is likely to be used to commit, or facilitate the commission of, any offence under any written law.
(a) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
(a) a reference to a credential of another person in relation to the national digital identity service has the meaning given by paragraph 1(2) of the Schedule; and (b) a reference to an offence under any written law includes an offence under subsection (1). [Act 16 of 2023 wef 08/02/2024]
(a) obtains or retains the personal information; or (b) supplies, offers to supply, transmits or makes available, by any means the personal information. [22/2017]
(a) for use in committing, or in facilitating the commission of, any offence under any written law; or (b) for supply, transmission or making available by any means for the personal information to be used in committing, or in facilitating the commission of, any offence under any written law. [22/2017]
(a) the person did the act for a purpose other than for the personal information to be used in committing, or in facilitating the commission of, any offence under any written law; and (b) the person did not know or have reason to believe that the personal information will be or is likely to be used to commit, or facilitate the commission of, any offence under any written law. Example 1.— A comes across a list of credit card numbers on the Internet belonging to individuals who are customers of B, which A has reason to believe were obtained by securing access without authority to B’s server. A downloads the list for the purpose of reporting the unauthorised access to B’s server to the police. A retains the list of credit card numbers and transmits it to B for the purpose of informing B of the unauthorised access to B’s server. A has downloaded and retained the list of credit card numbers for purposes other than those mentioned in subsection (2)(a) and (b). Therefore A does not commit an offence under subsection (1)(a) by reason of subsection (2). A has transmitted the list to B for a purpose other than for it to be used in committing or in facilitating the commission of an offence. If A did not know or have reason to believe that the list so transmitted will be or is likely to be used to commit or facilitate the commission of an offence, then A does not commit an offence under subsection (1)(b) by reason of subsection (3). Example 2.— C, an employee of B, after receiving the list from A in Example 1, transmits it to D, another employee of B, for the purpose of facilitating B’s investigation of the unauthorised access of B’s server. C has transmitted the list to D for a purpose other than for it to be used in committing or in facilitating the commission of an offence. If C did not know or have reason to believe that the list so transmitted will be or is likely to be used to commit or facilitate the commission of an offence, then C does not commit an offence under subsection (1)(b) by reason of subsection (3). [22/2017]
(a) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. [22/2017]
(a) personal information is any information, whether true or not, about an individual of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual, including (but not limited to) biometric data, name, address, date of birth, national registration identity card number, passport number, a written, electronic or digital signature, user authentication code, credit card or debit card number, and password; and (b) a reference to an offence under any written law includes an offence under subsection (1). [8A [22/2017]
(a) obtains or retains any item to which this section applies — (i) intending to use it to commit, or facilitate the commission of, an offence under section 3, 4, 5, 6 or 7; or (ii) with a view to it being supplied or made available, by any means for use in committing, or in facilitating the commission of, any of those offences; or (b) makes, supplies, offers to supply or makes available, by any means any item to which this section applies, intending it to be used to commit, or facilitate the commission of, an offence under section 3, 4, 5, 6 or 7. [22/2017]
(a) any device, including a computer program, that is designed or adapted primarily, or is capable of being used, for the purpose of committing an offence under section 3, 4, 5, 6 or 7; (b) a password, an access code, or similar data by which the whole or any part of a computer is capable of being accessed. [22/2017]
(a) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. [8B [22/2017]
(a) the security, defence or international relations of Singapore; (b) the existence or identity of a confidential source of information relating to the enforcement of a criminal law; (c) the provision of services directly related to communications infrastructure, banking and financial services, public utilities, public transportation or public key infrastructure; or (d) the protection of public safety including systems related to essential emergency services such as police, civil defence and medical services.
(a) for the offence in question, the accused was in Singapore at the material time; (b) for the offence in question (being one under section 3, 4, 5, 6, 7 or 8), the computer, program or data was in Singapore at the material time; [Act 16 of 2023 wef 08/02/2024] (c) the offence causes, or creates a significant risk of, serious harm in Singapore; or [22/2017] [Act 16 of 2023 wef 08/02/2024] (d) the offence is one under section 8A(1) or 8B(1). [Act 16 of 2023 wef 08/02/2024]
(a) illness, injury or death of individuals in Singapore; (b) a disruption of, or a serious diminution of public confidence in, the provision of any essential service in Singapore; (c) a disruption of, or a serious diminution of public confidence in, the performance of any duty or function of, or the exercise of any power by, the Government, an Organ of State, a statutory board, or a part of the Government, an Organ of State or a statutory board; or (d) damage to the national security, defence or foreign relations of Singapore. Example 1.— The following are examples of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the provision of an essential service: (a) publication to the public of the medical records of patients of a hospital in Singapore; (b) providing to the public access to the account numbers of customers of a bank in Singapore. Example 2.— The following are examples of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the performance of any duty or function of, or the exercise of any power by, the Government, an Organ of State, a statutory board, or a part of the Government, an Organ of State or a statutory board: (a) providing to the public access to confidential documents belonging to a ministry of the Government; (b) publication to the public of the access codes for a computer belonging to a statutory board. [22/2017; 9/2018]
(a) causes the harm directly; or (b) is the only or main cause of the harm. [22/2017]
(a) services directly related to communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, or public key infrastructure; (b) emergency services such as police, civil defence or health services. [9/2018]
(a) each of which is an offence under the same provision in Part 2; (b) that involve the same computer; and (c) that are committed in a period that does not exceed 12 months. [22/2017]
(a) particulars of that computer; and (b) the dates between which the acts are alleged to have been committed. [22/2017]
A District Court or a Magistrate’s Court has jurisdiction to hear and determine all offences under this Act and, despite anything to the contrary in the Criminal Procedure Code 2010, has power to impose the full penalty or punishment in respect of any offence under this Act. [12
Nothing in this Act prohibits a police officer, an authorised person within the meaning of section 39 of the Criminal Procedure Code 2010 or any other duly authorised law enforcement officer from lawfully conducting investigations pursuant to the powers conferred on him or her under any written law. [14 [15/2010]
Any police officer may arrest without warrant any person reasonably suspected of committing an offence under this Act. [16
The Minister may, by order in the Gazette, amend the Schedule. [Act 16 of 2023 wef 08/02/2024]
Sections 2(1), 8B(6)(a) and 20
“application”, in relation to the national digital identity service, means the mobile software application known as “Singpass” published under the name of “Government Technology Agency” that is registered to a user; “biometric identifier”, in relation to the national digital identity service, means an image or video, or an aggregation of images or videos, of a user’s face captured electronically through the national digital identity service; “national digital identity service” means the electronic service known as “Singpass” that is owned by the Government, by which the identity of an individual may be authenticated; “user”, in relation to the national digital identity service, means an individual who has an account registered with the national digital identity service.
(Formerly known as the Computer Misuse and Cybersecurity Act (2007 Ed.)) This Legislative History is a service provided by the Law Revision Commission on a best-efforts basis. It is not part of the Act.
Bill : 17/1993 First Reading : 18 March 1993 Second and Third Readings : 28 May 1993 Commencement : 30 August 1993
Operation : 15 March 1994
Bill : 45/1995 First Reading : 5 December 1995 Second and Third Readings : 18 January 1996 Commencement : 8 March 1996 (section 9)
Operation : 15 March 1994
Bill : 24/1998 First Reading : 1 June 1998 Second and Third Readings : 30 June 1998 Commencement : 1 August 1998
Operation : 15 December 1998
Bill : 22/2003 First Reading : 16 October 2003 Second and Third Readings : 10 November 2003 Commencement : 14 June 2004 (except section 2) 1 September 2004 (section 2)
Bill : 30/2005 First Reading : 17 October 2005 Second and Third Readings : 21 November 2005 Commencement : 1 January 2006 (section 14)
Operation : 31 July 2007
Bill : 11/2010 First Reading : 26 April 2010 Second Reading : 18 May 2010 Third Reading : 19 May 2010 Commencement : 2 January 2011 (section 430 read with item 24 of the Sixth Schedule)
Bill : 36/2012 First Reading : 12 November 2012 Second and Third Readings : 14 January 2013 Commencement : 13 March 2013
Note: The Computer Misuse Act was renamed as the Computer Misuse and Cybersecurity Act by this Act.
Bill : 15/2017 First Reading : 9 March 2017 Second and Third Readings : 3 April 2017 Commencement : 1 June 2017
Bill : 2/2018 First Reading : 8 January 2018 Second and Third Readings : 5 February 2018 Commencement : 31 August 2018 (section 49)
Note: The Computer Misuse and Cybersecurity Act was renamed as the Computer Misuse Act by this Act.
Operation : 31 December 2021
Bill : 13/2023 First Reading : 18 April 2023 Second and Third Readings : 9 May 2023 Commencement : 8 February 2024
G.N. Gazette Notification G.N. Sp. Gazette Notification (Special Supplement) L.A. Legislative Assembly L.N. Legal Notification (Federal/Malaysian) M. Malaya/Malaysia (including Federated Malay States, Malayan Union, Federation of Malaya and Federation of Malaysia) Parl. Parliament S Subsidiary Legislation S.I. Statutory Instrument (United Kingdom) S (N.S.) Subsidiary Legislation (New Series) S.S.G.G. Straits Settlements Government Gazette S.S.G.G. (E) Straits Settlements Government Gazette (Extraordinary)
This Act has undergone renumbering in the 2020 Revised Edition. This Comparative Table is provided to help readers locate the corresponding provisions in the last Revised Edition.
