At the Comittee of Inquiry hearing yesterday (26 Sep) on the recent SingHealth cyber attack incident, witnesses said they were apprehensive about raising false alarms of the security incidents.
SingHealth’s cluster information security officer Wee Jia Huo testified that he understood “an incident must be confirmed before being reported” to the leader of the cyber-security governance department.
“Even a few failed attempts to log in would not be conclusive, as it could be a user who had forgotten his password trying to guess or remember his password,” Mr Wee said.
“If there were multiple persistent attempts to log in to the same server over a period of a few days, this would still not be conclusive, but it should, minimally, be investigated.”
Mr Wee also told COI that he relied solely on another cyber-security team headed by Ernest Tan for information.
"At all times, I will seek guidance from Ernest (and his team) because they are the subject matter experts. We do not escalate incidents if they are not confirmed and may be false positives," Mr Wee said.
Data theft went unnoticed for 6 days
The cyber attack on SingHealth took place from June 27 to July 4, but it was only 6 days later on 10 Jul that IHiS deputy director Henry Arianto found out that 1.5 million medical data had been stolen.
Earlier, he had told others that the unusual database queries of July 4 “had returned zero results”. This was based on information from one of his team member, he said. He later decided to “double-check” the queries and found that they did indeed return results, which meant that the perpetrators must have seen and stolen the medical data. Alarm bell was then sounded and the Cyber Security Agency was informed.
He also told the committee that he receives but does not review the audit logs daily or regularly. One of his staff would just check the logs “randomly”.
Failed log-ins should have been monitored in the first place, he said.
The hearings continue.