It’s not if, but when. Those in cybersecurity circles will understand this. As much as you want to prevent successful cybersecurity attacks, breaches will happen. How are you going to respond? How well did the Singapore government handle the massive SingHealth data breach?
The SingHealth data breach, announced yesterday in a multi-ministry press conference, involved personal information of 1.5 million patients, and among them 160K also had their dispensed medication records stolen.
This is the largest ever data breach in Singapore, and it is particularly sensitive considering that it happened in a healthcare organisation, which is also largest national healthcare group in Singapore.
Cybersecurity breaches happen. In this case, I’m a bit alarmed and disappointed about how the Singapore government dealt with the matter.
The first hint of trouble came on 4th July. According to the Ministry of Health’s press release, IHiS (our national Integrated Health Information System) observed anomalies in SingHealth’s IT databases, halted those activities, and put in place additional cybersecurity precautions. They kept mum on that embarrassing incident, until eventually 6 days later on 10th July, confirmed and informed the Ministry of Health, SingHealth, and the Cyber Security Agency of the cyberattack. It was another two days later, on 12th July, that SingHealth reported the matter to the police. This is all according to the Ministry of Health.
So by the Ministry of Health’s own version of the timeline, they knew of the cyberattack on 10th July. The public, however, was only informed yesterday, a whole 10 days later. Okay, this is definitely a remarkable improvement from the ministry’s handling of the Hepatitis C outbreak back in 2015, in which (according to the ministry) they became aware of the situation in late August 2015, but the public announcement only happened on 6 October.
The whole 10 days wait this time isn’t great at all. I can understand the need for the ministry to conduct their own investigations, and subsequently to figure out what to do. I can’t help to wonder if perhaps all the delay came about because the Ministry of Health felt it necessary to develop a website, SMS system, and provide updates through their mobile web app, before going public.
I also cannot understand why, in their press release, the Ministry of Health felt it pertinent to draw specific attention to the fact that Prime MInister Lee Hsien Loong’s personal particulars, as well as information on his dispensed medication, were also affected. Is this a vain attempt to tell us ordinary citizens that even the Prime Minister was not spared in this breach, and so perhaps we peons should just not kick a fuss about the whole episode?
How timely, if you think about it, that the Prime Minister also posted on Facebook to downplay the purported specific and repeated targeted attack on his data.
The biggest disappointment to me is the CSA chief executive David Koh’s remark that the stolen data has no strong commercial value. Excuse me, no strong commercial value? I think many others, not just me, will beg to disagree.
Let’s just remind ourselves again exactly what personal data was stolen:
- Name
- NRIC number
- Address
- Gender
- Race
- Date of birth
This will very clearly fall under the PDPC’s definition of personal data. I can see how much of a treasure trove this 1.5 million records will be to telemarketers. The 160K dispensed medication records also provide more information, including embarrassing medical conditions or long-term ailments the individuals may have.
This is the CEO of the national cybersecurity agency who says these personal data is just “basic demographic data”. This is not basic demographic data at all. Can Mr Koh give me his full name, NRIC, address, and date of birth, since they are just basic demographic data?
One should also remember that NRIC is an excellent “record identifier” that allows this set of records to be easily and reliably merged with data from other sources. Perhaps there is another data set that contains NRIC and some financial information (e.g. credit card numbers, or EZ-Link card numbers, etc), which on their own might not be easy to capitalise on. But now, SingHealth’s stolen data provides very useful missing bits: name, address, and date of birth.
Does CSA not understand that the stolen data already allows malicious users to get past some “telephone verification questions”? That just within the stolen data set one can possibly also determine family members? On this note, I think businesses need to rethink how they “verify” their customers. Some, like telcos, are quite happy to just ask for NRIC, address, and date of birth. All, very conveniently, provided in this SingHealth breach.
The government had a whole 10 days to figure out what to do, what to say. I’m somewhat alarmed at how the multi-ministry response seems focused on downplaying the data breach. Apart from learning to improve our cybersecurity from this incident, we should also learn how to improve our incident handling response.
The delay also bought time to brief their IB to reply to criticisms and attack those who raise the same points as in this article.
I get the need for the government to downplay the entire thing to save face, but goddamn, pretending the leak of names, NRICs and other personal information has no serious consequences?
And that this statement came from the head of the nation’s cyber security agency and not some random uncle off the streets?
Fucking embarrassing. I’m speechless that this is honestly the best response they could come up with that 10 days.
They could remind the public the need to use strong passwords (e.g. not using details from DOBs or addresses), how to look out for signs of identity theft, what are the things the general public could do now instead of waiting for a useless SMS from Singhealth, but nope.
Just a sidenote: local healthcare organisations have all their employees drilled about keeping patient data confidential, and that all unused patient labels (which contain all the information that has been stolen i.e. name, NRIC, DOB, address, race) have to be shredded because they could get misused for malicious intents, but yeah, this data breach is definitely not anything serious at all.
Could you elaborate what the commercial value of the data lost is? Without the phone number, I’m curious how telemarketers would use it.
Don’t limit your imaginations to telemarketers. 🙂 Google has loads of articles but to jumpstart your research:
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/what-do-hackers-do-with-your-stolen-identity
https://www.reuters.com/article/us-cybersecurity-hospitals/your-medical-record-is-worth-more-to-hackers-than-your-credit-card-idUSKCN0HJ21I20140924
Hmm i think the mention abt PM’s records being affected is probably cos they had to account to media that he was repeatedly targeted. And media being media is just gonna highlight this as the most impt thing cos its newsworthy to them
I’d say the media is also partly responsible for the reporting of the news. PM is the most newsworth to them!!
Thought PM Lee was mentioned because he was specifically targeted? If so, quite obvious should name him right? Clearly someone out to create trouble for Singapore
Owell this incident is a good lesson to everyone to take cyber and personal security more seriously. Stop giving out personal info for lucky draw and shop memberships. Set secure and different passwords for each accounts. And businesses should definitely check and secure their systems regularly. Singhealth didn’t do a good job now CSA has to come in and settle for them…
The breach was by a government agency. What happens if it were from a non- government related company or private agencies? Fines, compensations, court proceedings?
Ever wonder why even Bill Gates uses linux as his server to run his whole housing complex and security in his house. Wake up bro.