Singapore Data Breach Hits 1.5 Million People

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Major cyberattack on Singapore’s government health database steals personal data of 1.5 million people

A major cyberattack against the Singapore government has resulted in the theft of the personal data belonging to at least 1.5 million people.

The attack last Friday, against Singapore’s government health database, also saw the medical records of Prime Minister Lee Hsien Loong stolen.

This is not the first time that Singapore has been targetted. In February 2017 Singapore’s Ministry of Defence, said basic personal information on 850 national servicemen and staff had been stolen from an Internet-facing network, in what it called a “targeted and carefully planned” attack.

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Health hack

But this time hackers have gone after health information, after Singapore’s Ministry of Communications and Information (MCI) and the Ministry of Health (MOH) announced on Friday that it would convene a Committee of Inquiry (COI) to investigate the cyber-attack on SingHealth’s database.

“SingHealth’s database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack,” the government announced.

“About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied,” said the government.

Stolen data includes name, address, gender, race and date of birth.

“Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated,” it said.

It added that the attackers “specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines”.

It seems that on 4 July, IHiS’ database administrators had detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions. On 10 July, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed, before making a public announcement on 20 July.

Expert reaction

The hack prompted security experts to warn about the potential value of healthcare based data, and how it must be protected properly.

“This breach is just another example of a health authority failing to protect their most important asset – data,” said Simon Cuthbert, head of international, 8MAN by Protected Networks. “Reports state this was a well-planned attack targeting 1.5 million people, a quarter of the population of Singapore. The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty.”

“It will be interesting, and noteworthy, to see how the authorities in Singapore respond to this breach under the PDPA (Personal Data Protection Act) the Malaysian equivalent to the EU GDPR legislation,” Cuthbert added. “As with the new EU GDPR legislation there is the risk of high fines but also the possibility of imprisonment up to 12 months in Singapore. This will be a significant blow to the wealthy city which prides itself on its stability and security.”

Another expert pointed to the importance of vertical markets securing information by including decent threat detection technology.

“For now it is unclear who is responsible for the breach or how it was undertaken,” said Javvad Malik, security advocate at AlienVault. “But it does drive home the importance for all companies across all verticals, particularly those which deal with personal data of any kind to have effective threat detection and incident response controls in place so that any such breaches can be detected quickly and stopped from turning into a large incident.”

Meanwhile another expert warned of the impact the attack could have on the people concerned.

“A breach of any type can never be underestimated, however, as this incident has resulted in the loss of health records the consequences could be devastating for individuals,” said James Hadley, CEO & Founder of Immersive Labs.

“It is no longer acceptable to stick with traditional means of security, and leave the protection of data down to those seen to be elite in the field,” said Hadley. “Every organisation, from businesses to hospitals, must create a cyber skilled workforce, to ensure they are ahead of the bad guys and make breaches like this more difficult to come by. Taking on cyber security skills at this kind of scale should be a major priority.”

This position was backed by Olli Jarva, managing consultant at Synopsys’ Software Integrity Group.

“The healthcare data breach outlines a new reality,” said Jarva. “Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it.”

“This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers,” he said. “Are healthcare providers aware of the value of the data they are storing?”

Do you know all about security? Try our quiz!

Read also :