• Home
  • cyber
  • Shanghai Tunnel Engineering Co: Cybersecurity incident at contractor building JRL stations and NEWater factory
cyber Breach

Shanghai Tunnel Engineering Co: Cybersecurity incident at contractor building JRL stations and NEWater factory

Apr 27, 2026 2 min read
Shanghai Tunnel Engineering Co: Cybersecurity incident at contractor building JRL stations and NEWater factory

Cybersecurity Incident Hits Contractor for Singapore’s Jurong Region Line and NEWater Projects

A cybersecurity breach has been reported at Shanghai Tunnel Engineering Co (Singapore), the contractor responsible for constructing three stations on Singapore’s Jurong Region Line (JRL) Choa Chu Kang, Choa Chu Kang West, and Tengah as well as the Changi NEWater Factory 3.

The compromised data pertains to both projects, though the exact timing of the breach remains unclear. While the Land Transport Authority (LTA) confirmed awareness of the incident and reported it to the police and relevant authorities, it stated that construction of the JRL has not been affected. As a precaution, the LTA has temporarily revoked the contractor’s access to its digital systems.

The Public Utilities Board (PUB), Singapore’s national water agency, confirmed that Shanghai Tunnel Engineering Co (Singapore) had no access to its systems. Its investigation found that no sensitive data related to the Changi NEWater Factory 3 was stolen, with the exposed information limited to project tender documents which are publicly available on the government procurement portal GeBIZ. The PUB has since reminded the contractor to review its cybersecurity measures.

No evidence of the stolen data has surfaced on ransomware portals or hacker forums, according to checks by The Straits Times. Shanghai Tunnel Engineering Co (Singapore), established in 1996, has worked on multiple MRT projects, including stations for the Circle, Downtown, and Thomson-East Coast lines. In 2019, it secured a $465.2 million contract for the JRL stations and a 4.3km viaduct linking them, integrating the existing Choa Chu Kang station into the new line.

For the Changi NEWater Factory 3, the company entered a joint venture with Sanli M&E Engineering in February 2026 after the latter was awarded a $205 million contract in November 2025. The project, expected to be completed in 2028, will replace the Bedok facility and produce up to 50 million gallons of NEWater daily. The contractor’s scope includes civil, structural, and architectural works but excludes the building management system.

Source: https://www.straitstimes.com/singapore/contractor-building-jrl-stations-and-newater-factory-hit-by-data-breach

Shanghai Tunnel Engineering Co TPRM report: https://www.rankiteo.com/company/shanghai-tunnel-engineering-co-ltd-

"id": "sha1777343500",
"linkid": "shanghai-tunnel-engineering-co-ltd-",
"type": "Breach",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Land Transport Authority (LTA), '
                                              'Public Utilities Board (PUB)',
                        'industry': 'Construction/Infrastructure',
                        'location': 'Singapore',
                        'name': 'Shanghai Tunnel Engineering Co (Singapore)',
                        'type': 'Contractor'}],
 'data_breach': {'personally_identifiable_information': 'No',
                 'sensitivity_of_data': 'Low (publicly available on GeBIZ)',
                 'type_of_data_compromised': 'Project tender documents'},
 'description': 'A cybersecurity breach has been reported at Shanghai Tunnel '
                'Engineering Co (Singapore), the contractor responsible for '
                'constructing three stations on Singapore’s Jurong Region Line '
                '(JRL) and the Changi NEWater Factory 3. The compromised data '
                'pertains to both projects, though the exact timing of the '
                'breach remains unclear. The LTA confirmed awareness of the '
                'incident and reported it to the police and relevant '
                'authorities. The PUB confirmed no sensitive data related to '
                'the Changi NEWater Factory 3 was stolen, with exposed '
                'information limited to project tender documents.',
 'impact': {'data_compromised': 'Project tender documents',
            'operational_impact': 'No impact on JRL construction or NEWater '
                                  'operations',
            'systems_affected': 'Contractor’s digital systems (temporarily '
                                'revoked by LTA)'},
 'initial_access_broker': {'data_sold_on_dark_web': 'No evidence found'},
 'investigation_status': 'Ongoing',
 'recommendations': 'Review cybersecurity measures',
 'references': [{'source': 'The Straits Times'}],
 'regulatory_compliance': {'regulatory_notifications': 'Reported to relevant '
                                                       'authorities'},
 'response': {'containment_measures': 'Temporary revocation of contractor’s '
                                      'access to LTA digital systems',
              'law_enforcement_notified': 'Yes (reported to police)',
              'remediation_measures': 'Review of cybersecurity measures by '
                                      'contractor'},
 'title': 'Cybersecurity Incident Hits Contractor for Singapore’s Jurong '
          'Region Line and NEWater Projects',
 'type': 'Data Breach'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.