Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Gathering Intel on SAF Personnel

_DSC1528Last week we had M1 and K Box exposing personal data. Let’s up the ante a little. How about military data? Suppose you are the enemy, wanting to gather some intelligence on the Singapore Armed Forces (SAF). Say, for example, you want to get a name list of everyone who enlists into the SAF every year, and which unit of the SAF they enlist into. Sounds like the job for a pro hacker?

This type of information, you’d expect, will not be easy to get. Military manpower information ought to be guarded intelligence. It may be possible that some little snippets of information leaks out here and there, like a platoon sharing its name list somewhere. But you’d not expect to easily acquire an authoritative and systematic listing of such information on a wide scale.

Well, it turns out, the SAF will happily hand over the information. The list of each batch of BMT graduating recruits is published on their website. The information includes full name and photograph, organised by school/unit, company, platoon and section level details. To say I was shocked would be an understatement.

bmtc-shadow

Someone probably thought this was a clever idea, like photos of graduates at a university commencement ceremony. However this is not university graduation. This isn’t completion of active national service. It’s just passing out of BMT.

The important question, though, is if the security implications have been properly considered. Furthermore, it’s puzzling to me why they will want to continue to keep archives of not-so-current graduating batches online.

Armed with some basic scripting skills, one can easily crawl Mindef’s website to scrape a comprehensive database of SAF recruits.

For the record, I emailed a question to Mindef about this matter some time ago. They sat on my email for two weeks. I eventually got a reply that seem to suggest they do, indeed, think this was a clever initative that has been well received.

Okay. Someone did think this was a clever idea.

The cases with M1 and K Box are about the compromise of individual’s personal data and privacy. This is different. This is, to me, a matter of organisational security. Soldiers are not customers, they are strategic resources of the organisation.

In case you’re wondering how I got to know about the information, well, I thank Google for it. Yes. It’s on Google.

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy