Over 120,000 individual's data compromised in two malware incident, including that of over 100,000 MINDEF/SAF personnel

The Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) have experienced malware incidents involving the personal data of several thousand MINDEF/SAF personnel as two of its vendors, HMI Institute of Health Sciences and ST Logistics, reported data breaches in their systems. In a statement on 21 December, MINDEF said that HMI Institute of Health Sciences (HMI Institute) has been contracted by the SAF since 2016 and ST Logistics has been a vendor since 1999. Both were provided with the personal data of MINDEF and SAF personnel for the provision of their services. On 21 December, HMI Institute announced in a statement that it discovered a file server that was encrypted by ransomware of 4 December which contained the personal data of over 120,000 individuals including full names, NRIC numbers, date of birth, home addresses and email addresses. Among those, approximately 98,000 are SAF servicemen who attended the Cardio Pulmonary Resuscitation (CPR) and Automated External Defibrillation (AED) course provided by HMI Institute. HMI Institute, owned by Health Management International, noted that the server was immediately taken offline and isolated from the internet and internal network. They then engaged a cybersecurity firm to investigate the incident. It was found that the attack was random and opportunistic, though there was no evidence to show that the data on the affected server was copied or exported. The statement said that there is a “low likelihood of a data leak”. Mr Tee Soo Kong, Executive Director, HMI Institute of Health Sciences said: “We take this incident very seriously and we deeply apologise to the students and applicants affected and for the inconvenience caused. Preserving their privacy and keeping their personal data safe are our highest priorities.” He added, “We have also put in place additional measures to fortify our systems against increasingly sophisticated cyber intrusions.” As for ST Logistics, the company said the breach it experienced was a result of email phishing activities sent to its employees’ email accounts. “This data, contained in working files residing in affected workstations, may have been exfiltrated,” it said. The affected systems contained the full names and NRIC numbers as well as a combination of contact numbers, emails and residential addresses of about 2,400 MINDEF/SAF personnel. In this case, MINDEF said that preliminary investigations indicate that personal data could have been leaked. ST Logistics, which is owned by Japan Post, added that it has carried out “extensive forensic investigations” via its own cybersecurity team supported by external cybersecurity experts. Both companies reported the incidents to the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT). PDPC is investigating both cases. MINDEF said, “MINDEF and the SAF take a serious view on the secure handling of personal data by our vendors. The security of their IT systems is an important factor that will be taken into account in the award of contracts.” It added that it is engaging other vendors who hold MINDEF/SAF personnel information to strengthen the security of their IT systems. Defence Cyber Chief Brigadier-General Mark Tan said, "The malware incidents affected the IT systems of our vendors. Although MINDEF/SAF's systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel's personal data. We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel's personal data and information." MINDEF notes that affected personnel are being notified of the breach from 21 December onwards.

Breaches in 2019

This latest incident is yet another in a string of security breaches in Singapore this year which culminated in the formation of the Public Sector Data Security Review Committee on 1 April to review how the Government secures and protects the data of its citizens. The government said in November it will be rolling out recommendations from the committee in 80% of its systems by the end of 2021, and the remaining 20% by end of 2030. One of the cybersecurity incidents this year happened in March when Russian cybersecurity company Group-IB revealed its discovery of a massive data breach involving email log-in and passwords from several government organisations on the dark web since 2017 as well as over 19,000 compromised payment card details stolen and put up for sale by the hackers. In a statement, Group-ID revealed that the breach involved Singapore’s Government Technology Agency, Ministry of Education, Ministry of Health, the Singapore Police Force and the National University of Singapore. Also in March, insurance company AIA reported that one of its web portals containing the personal information of 200 people was found to be publicly accessible. In worse cases, the data of more than 800,000 blood donors were placed at risk over the internet due to unauthorised access by a Health Sciences Authority (HAS) vendor for over two months, also revealed in March. Earlier in January, the Ministry of Health was notified by the police that the confidential data of 14,2000 individuals in the national HIV Registry, as well as 2,4000 contacts, has been illegally disclosed online. Those were all in 2019. However, in June 2018, Singapore saw the worse cyber attack in its history which resulted in the personal data breach of 1.5 million patients of healthcare cluster SingHealth, including the information of Prime Minister Lee Hsien Loong. According to data research, the number of leaked cards has increased by 56% in 2018 compared to 2017, following a string of breaches and cyber attacks in both the public and private sector.