Singapore’s worst data breach which resulted in access to personal data of 1.5million results in a fine of $1 million Singaporean dollars
January 21, 2019 |
In July 2018 the Singaporean Government announced that there was a cyber attack which compromised the personal data of 1,495,364 people and led to outpatient prescription information for nearly 160,000 people being “exfiltrated”.
In a 52 page report the Commissioner for Personal Data Protection found significant flaws in the processes of Singapore Health Services Pt Ltd and Integrated Health Information Systems.
The attack involved infecting workstations with malware and moving laterally in the SingHealth network between December 2017 and May 2018., and escaped detection by using skilled and sophisticated techniques .
Once inside the network the attackers exploited inactive administrator accounts to remotely log in to a server that contained a link to another system containing SingHealth’s electronic medical records with multiple attempts made to access the data in the EMR system via that link between 27 June and 4 July last year.
These attempts were finally detected on 4 July and terminated by a database administrator at IHiS.
The PDPC’s report identified failings in how both IHiS and SingHealth responded to the incident including
- with neither the chief executive of IHiS nor group chief information officer at SingHealth alerted to the breach until the night of 9 July 2018
- SingHealth’s cluster information security officer (CISO) was aware of the prior activities of the attackers with the report stating “Even though the SingHealth CISO was informed of suspicious activities showing multiple failed attempts to log in to the … database using invalid credentials, or accounts that had insufficient privileges in mid-June 2018, and the attack and remediation efforts on 4 July 2018, the SingHealth CISO did not escalate these security events,” .
- SingHealth’s CISO did not comply with incident response policy and there was a failure “…to understand the significance of the information provided to him or to grasp the gravity of the events that were happening”.
The Singaporean Data Protection agency has a reputation for being not the most effective or pro active regulator based on past performance. The legislation is also flawed as it does not regulate Government agencies. On this occasion it has acted effectively. Given the significant breach which involves a sizeable portion of the Singaporean population it was appropriate that a sizeable fine would be imposed.
The media coverage has been widespread and, as is usual in cases of this nature, embarrassing including ZDNet’s Firms fined $1M for SingHealth data security breach, the Sinaporean paper, the Straits Times Singapore’s privacy watchdog fines IHiS $750,000 and SingHealth $250,000 for data breach and the Independent’s S$750,000 fine imposed on IHiS, S$250,000 fine on SingHealth, due to country’s worst security breach.