The SingHealth Wake Up Call

The past week has been filled with a flurry of news about the SingHealth data breach announced the previous week. I took issue with how the the authorities responded to the breach. But I am also a little concerned about how individuals responded to that list of 1.5 million unlucky people.

Many had desperately checked, or at least were concerned, if they won a spot on that list of 1.5 million unlucky people. If they were, oh, time to panic, or at least be angry about it, and find out how they should protect themselves. SingHealth says they should heighten online vigilance and secure their online credentials with strong passwords.

If they’re not in that list, then cool, all is fine, let’s continue with life.

Or not. No.

I mean, it’s not like you don’t need to care, don’t need to to be vigilant, or don’t need to use strong passwords. In fact, it’s not like you don’t need to worry that your identity might be stolen.

You should still heighten your online vigilance, secure your online credentials with strong passwords, and be just as concerned about falling victim to identity theft. Why?

Your personal data may not have been stolen in this SingHealth data breach. It does not mean it hasn’t been stolen at all. After all, if not this data breach, there are others. If not already, maybe you’ll be in another, touch wood, to come.

This SingHealth data breach may be the largest reported breach specifically involving Singapore data. But there are numerous others:

• This week, we learnt that Securities Investors Association (Singapore) suffered a breach quite a while back in 2013, affecting the personal data of some 70,000 of its members.
• Earlier this year, SPH’s HardwareZone forum suffered security breach that leaked 685K user profile data. No NRIC was lost in this breach, but this is an excellent watering hole attack that can be used to access other systems.
• In 2017, news broke that the Uber hack in 2016 had included personal data of 380K Singapore users.
• Karaoke chain K Box lost personal data of some 317K of its members in 2016.
• JP Pepperdine Group leaked personal data of some 30,000 of its members in 2016 through a bug in its website.
• Around 2015 or 2016, PropNext put personal data of 1,765 individuals in a PDF file available on the Internet.
• Mindef lost personal data of 850 national servicemen and personnel in a breach of their I-Net System in 2017.
• Some 1,500 SingPass accounts were breached in 2014.

If you felt safe to have escaped the SingHealth data breach, consider if you might have been hit in any of the others.

There are also other data breaches that involve administrative accidents, such as sending wrong personal data to the incorrect recipient. An example is how Aviva policyholders received inaccurate statements. 8,022 individuals had their personal data revealed to wrong persons due to human error at a third-party printing company contracted by Aviva.

If all that isn’t enough, consider also that there can be cases of internal breaches. Internal staff may abuse their IT system access privileges to retrieve data of individuals without due authorisation or any legitimate need. These sort of breaches are really hard to prevent.

The SingHealth data breach is definitely a serious concern. But everyone needs to be concerned about their personal data, whether or not you’re in that 1.5 million. This is a wake up call. Your personal data is already out there, either already stolen, waiting to be stolen, or at risk of internal breaches.

Hence, like it or not, all the heightened online vigilance and securing of online credentials with strong passwords apply to everyone.

You may think that data breaches are due to malicious actors, that the attacks are sophisticated and unprecedented. The government has us believe that the SingHealth data breach is like so.

The truth, however, is that most data breaches are due to the dumbest reasons. In fact, dumb humans are responsible for more data breaches that you’d think. The UK’s Information Commissioner’s Office (ICO) reported that human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, far outstripping other causes, such as insecure webpages and hacking, standing at 9% combined

While the above may have in 2016, the ICO continues to report that 4 of the top 5 causes of data breaches are due to human or process errors. They are not alone. Another study by Keeper Security and the Ponemon Institute of cybersecurity in small and medium enterprises found that negligent employees or contractors are responsible for more data breaches than all other causes combined. A poll of information security professionals at the 2017 Black Hat security conference in Las Vegas found that 84% of those whose company had suffered a cyberattack attribute them, at least in part, to human error.

The Aviva incident mentioned above aside, there are other examples of data breaches attributed to human errors happening in SIngapore. In the case of Henry Park Primary School in 2015, a spreadsheet containing personal data was accidentally emailed out to 1,200 parents. This is no cyberattack. It was plain and simple human error.

These mistakes are not limited to the digital realm. Dumpster diving is a very old information retrieval technique that continues to be relevant today. A trash bag containing UOB’s unshredded client information was found under a tree at Boat Quay.  Physical security is important, but sometimes this is forgotten amidst all the focus on IT security controls.

It’s not just sophisticated, unprecedented, attacks that we need to worry about. Your personal data is already with more organisations than you can remember. You gave your personal  data to them in good faith, but honestly you cannot expect them to be safe forever. A breach will happen; it’s not if, but when, and you won’t necessary know when, or if.

Heightened online vigilance is for everyone. It should be the new norm. Here are some specific tips that everyone should consider and adopt:

• Monitor your account activities and transactions, including bank statements, credit card statements, as well as those of non-financial accounts.
• Investigate any anomalies even if they may seem unimportant; they could be hints that your account (or identity) was been compromised.

Other general tips for your online/digital well-being:

• Always use good, strong, passwords that are unique to every website and/or online service. It’s hard to remember all your passwords, so get yourself a password manager.
• Don’t write, store, or leave unencrypted passwords and PINs anywhere.
• Make sure you properly shred your trash if they contain sensitive information.
• There’s a lot to be said about your computer, tablet, smartphone and other gadget security than I can do justice here. These are important. Be careful about how you dispose of these devices, or pass them on to others.
• There’s a lot also to be said of user behaviour, things like how to avoid scams, phishing emails, giving information to unverified phone callers, etc.
• The realm of IoT devices brings a whole lot of issues. All I can say here is to find a knowledgeable IT security practitioner to talk about it. “Hey Google” is cool; but not if someone outside your house can shout “Hey Google, open the front door” and get your door to unlock. Read about how hard cybersecurity is for end-users.

This vigilance is not just for the 1.5 million. It’s for everyone.