A cyber attack on Singapore’s largest health group has leaked the personal information of 1.5 million people, including Prime Minister Lee Hsien Loong.
The entire population of Singapore is only around 5.8 million, meaning that over a quarter of citizens had their data exposed. For the majority, the information leaked consisted of name, NRIC number, address, gender, race and date of birth. However, 160,000 individuals also had data exposed which related to the dispensation of medication, including the prime minister. The information leaked appears to relate to patients who visited SingHealth specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018.
This is the most serious breach of personal data that Singapore has experienced.
– S. Iswaran, Minister for Communications and Information, Singapore government
According to a joint press release from the Ministry of Health and the Ministry of Communications and Information, “The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.”
“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me,” the prime minister wrote on Facebook. “My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”
Other ministers also had their data exfiltrated. It’s possible that this was coincidental, due to the large number of accounts accessed; however, they were also among the much smaller group who had their medication data leaked, which may indicate that they were also deliberately targeted.
“This is the most serious breach of personal data that Singapore has experienced,” said S. Iswaran, Minister for Communications and Information and Minister-in-Charge of Cyber Security. In response to the incident, he will be establishing a Committee of Inquiry to conduct an independent external review.
Investigations into the incident were carried out by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS), and confirmed that the attack was deliberate, targeted and well-planned, and “not the work of casual hackers or criminal gangs.” Many have taken this to imply that the attack is thought to have been state-sponsored. A police investigation into the breach is still ongoing.
The investigation by CSA and IHiS, prompted by the detection of unusual activity on one of SingHealth’s IT databases on July 4, found that data had been exfiltrated from 27 June 2018 to 4 July 2018. Monitoring resulted in the observation of “further malicious activities”, but exfiltration ceased on July 4, all patient records are thought to be intact, and healthcare services were not disrupted. Further security measures have also been implemented, and are also being implemented for IT systems across the public healthcare sector.
According to the investigation, the attackers were able to gain access to the SingHealth IT system via an initial breach on a front-end workstation. They subsequently managed to obtain privileged account credentials, which were used to gain privileged access to the database.
SingHealth will be making any patients whose data may have been compromised aware, and notifying those who definitely had their data leaked. Patients can also check whether their data has been exposed via the Health Buddy mobile app or SingHealth website.