Last Friday (20 Jul), when it was reported that cyber hackers have broken into the computer systems of SingHealth and stolen the personal particulars of 1.5 million patients, including IC numbers, Singapore Cyber Security Czar BG (NS) David Koh told everyone that the stolen information are only "basic demographic data".
"We are watching to see if anything appears on the Internet both in the open and in some of the less well-known websites," he said.
"But considering the type of data that’s been exfiltrated (i.e, unauthorized transfer of data), it is – from our professional experience – unlikely that these will appear, because there is no strong commercial value to these types of data."
In other words, he is telling the 1.5 million patients not to worry about the theft of their personal data, which includes their name, IC number, address, gender, race and date of birth. They are deemed to be of "no strong commercial value" by the Czar, who was amongst the youngest to be promoted to the rank of Brigadier General at 41 when he was in the SAF.
MAS takes action despite Cyber Security Czar says stolen data has "no strong commercial value"
Yesterday (24 Jul), the Monetary Authority of Singapore (MAS) released a public notice, saying that it has issued a circular to all financial institutions, directing them to tighten their customer verification processes, following the recent cyber attack at SingHealth.
For access to online financial services, banks in Singapore have already put in place the two-factor authentication (e.g. PIN and One-Time-Password) at login to identify customers. Banks are also required to implement an additional layer of control to authorise high-risk transactions like opening of beneficial accounts, registration of third party payee details and revision of funds transfer limits, MAS said.
"However, to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions, MAS has directed financial institutions to tighten their customer verification processes," it added.
"Specifically, with immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification. Additional information must be used for verification before undertaking transactions for the customer."
"This may include, for instance, One-Time Password, PIN, biometrics, last transaction date or amount, etc," it said.
MAS’ own Chief Cyber Security Officer takes a serious view on personal data being stolen
MAS has also directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.
"Financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information. MAS will engage financial institutions on their risk assessments and mitigation steps," MAS said.
Contrary to Cyber Security Czar BG (NS) Koh's nonchalant attitude towards the stolen data at SingHealth, Tan Yeow Seng, MAS’ Chief Cyber Security Officer said, "MAS will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence."
"But customers must also play their part. They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately," Mr Tan added.