1.5 million IC numbers stolen from SingHealth but cyber security chief says no worry

It was reported on Friday (20 Jul) that cyber hackers have broken into the computer systems of SingHealth and stolen the personal particulars of 1.5 million patients. The stolen data included confidential records of patients’ name, IC number, address, gender, race and date of birth.

Of these, 160,000 people, including PM Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well. SingHealth is the government entity in-charge of 4 hospitals, 5 national specialty centres and 8 polyclinics here in Singapore.

Health Minister Gan Kim Yong apologised, “We are deeply sorry this has happened.”

The cyber attack appeared to be “deliberate, targeted and well-planned”. Initial investigations showed that one SingHealth front-end workstation was infected with malware through which the hackers gained access to the data base.

SingHealth said it will be contacting the affected patients to notify them about the incident.

MOH said it has directed a thorough review of the public healthcare system to improve cyber security, and all public and private healthcare institutions have been advised to take cyber-security precautions.

Mr Iswaran, who is also Minister-in-Charge of Cyber Security, added that “we must get to the bottom of this breach”.

CSA Chief says no worry

Meanwhile, the Chief Executive of Cyber Security Agency of Singapore (CSA), David Koh, essentially told the media that there is nothing to worry about. He said the stolen information are “basic demographic data”.

“We are watching to see if anything appears on the Internet both in the open and in some of the less well-known websites,” he added, noting that this has occasionally happened in past data breaches.

“But considering the type of data that’s been exfiltrated (i.e, unauthorized transfer of data), it is – from our professional experience – unlikely that these will appear, because there is no strong commercial value to these types of data.”

In other words, he is telling the 1.5 million patients not to worry about the theft of their personal data, which includes their name, IC number, address, gender, race and date of birth.

CNA reported that the authorities know who was behind the attack. It reported, “There are only a few countries in the world who have shown this level of sophistication when it comes to cyber attacks.”

When pressed further, the CSA Chief apologised and replied, “We are not able to reveal more because of operational security reasons.”

UOB says easy to commit fraud with stolen sensitive information

However, on UOB website, it quoted a study by the Financial Crimes Enforcement Network (FinCEN) indicating that cyber attacks related to ID theft are on the rise.

“It is also alarming to note the rising trend of ID theft by people known to the victims,” UOB said.

Essentially, “ID theft” is a form of fraud in which someone assumes another person’s identity by pretending to be that person. It is usually done by cyber thieves to obtain financial gain, UOB said.

In the information sensitivity table provided by UOB below, it noted that criminals just need “low sensitivity information and 1-2 medium/high sensitivity information” to commit financial fraud:

UOB recommended, “The simple act of safeguarding your sensitive information could go a long way in protecting yourself against ID theft.”

So, going by UOB’s information sensitivity table, it appears that the cyber hackers of the SingHealth systems now possessed even information considered to be of “high sensitivity” by banks like IC numbers, thanks to the security loopholes in SingHealth.

And yet, Singapore’s cyber security chief David Koh said “there is no strong commercial value to these types of data”.