A cybersecurity incident has raised concerns after it was revealed that sensitive data associated with the Jurong Region Line (JRL) MRT stations and the Changi NEWater Factory 3 were compromised. The contractor responsible for both critical infrastructure projects, Shanghai Tunnel Engineering Co (Singapore), is currently facing scrutiny as authorities investigate the breach.
Data Compromise Involving Shanghai Tunnel Engineering Co
The breach primarily affects the civil engineering firm Shanghai Tunnel Engineering Co, which has been engaged in the construction of three key stations along the JRL and the new Changi NEWater Factory 3. While the exact timing of the incident remains unclear, the compromised data has since been identified as tender documents for the projects. These documents, however, are available on the government’s GeBIZ procurement portal, which mitigates concerns over the theft of sensitive information.
On April 27, the Land Transport Authority (LTA) responded to public queries by confirming that it was aware of the cybersecurity breach and had reported the matter to the police and other relevant authorities. In an effort to minimize potential risks, the LTA temporarily suspended the contractor’s access to its digital systems, although the breach has not been reported to have disrupted the ongoing construction of the JRL MRT stations.
Impact on Changi NEWater Factory 3
While the data breach raises alarms, the national water agency PUB (Public Utilities Board) has reassured the public that there has been no access to its digital systems by Shanghai Tunnel Engineering Co. Following an internal investigation, PUB concluded that no sensitive data related to the Changi NEWater Factory 3 had been stolen. The only data compromised were the project tender documents, which, as mentioned, are publicly accessible on GeBIZ.
A PUB spokesperson emphasized that the agency maintains a “serious view” of cybersecurity and has advised the contractor to review its security protocols. Despite extensive checks on known ransomware portals and hacker forums, no evidence of leaked data related to the breach has surfaced, alleviating some concerns among stakeholders.
Company’s Response to Cybersecurity Incident
In a statement issued on April 28, Shanghai Tunnel Engineering Co (Singapore) acknowledged the cybersecurity incident, confirming that it had taken immediate steps to contain the situation. While the company did not specify when the breach occurred, it assured the public that it was cooperating fully with the authorities. Furthermore, the company has enlisted an external cybersecurity specialist to aid in the investigation.
“We are cooperating fully with the relevant authorities and kindly request that all parties allow the investigation to proceed without interference,” a company representative said.
Shanghai Tunnel Engineering Co, established in 1996, is a well-established contractor with significant experience in MRT projects across Singapore. The firm has previously worked on various stations for the Circle, Downtown, and Thomson-East Coast lines. Its latest projects involve critical infrastructure, including the JRL stations and the Changi NEWater Factory 3.
Contract Details and Future Expectations
In 2019, Shanghai Tunnel Engineering Co was awarded a $465.2 million contract to design and build three JRL stations, Choa Chu Kang, Choa Chu Kang West, and Tengah—along with a 4.3km viaduct connecting them. This work includes integrating the existing Choa Chu Kang MRT station on the North-South Line into the JRL network.
In addition to the JRL projects, Shanghai Tunnel Engineering Co is also involved in the construction of the Changi NEWater Factory 3. In November 2025, a $205 million contract was awarded to Sanli M&E Engineering, which formed a joint venture with Shanghai Tunnel Engineering Co in February 2026. The joint venture will be responsible for several key aspects of the factory’s construction, including civil, structural, and architectural works, as well as external and building services.
The Changi NEWater Factory 3 is expected to be operational by 2028 and will replace the existing Bedok facility. Once completed, the factory will be capable of producing up to 50 million gallons of NEWater daily, contributing significantly to Singapore’s water sustainability efforts.
