SingHealth Cyber Attack – Data Breach

On 20th July 2018, I received a few notifications on my TODAY app, with a heading that caught my attention on SingHealth suffered a cyberatttack, there was a press conference with the Health Minister and Communications and Information Minister, accompanied by a few other officials, gave details on this cyberattack. There were 1.5 million people who were affected by this cyberattack on SingHealth’s database.

When I returned home on that night, I decided to read up more on this SingHealth Cyber Attack news. While reading the news, I realised that I could be one of the 1.5 million affected people mentioned in this news since I did visit SingHealth specialist outpatient clinic for follow up over the past few years. Thereafter, I logged in with my SingPass and yes, the status showed my non-medical personal data was accessed in the cyberattack.

A mix of anger and disappointment filled my mind and brain when I became part of the 1.5 million affected people statistics. The personal data that were accessed during the cyber attack could be used by other parties in situations that might have a bigger detrimental impact and consequeneces beyond our imagination.

What Data was taken?

  • Name
  • NRIC Number
  • Address
  • Gender
  • Race
  • Date of Birth

From the Singapore Government website news release:

5) Should you be worried?

In short, not really, said the authorities. CSA chief executive David Koh said the stolen information are “basic demographic data”. 

“We are watching to see if anything appears on the Internet both in the open and in some of the less well-known websites,” he added, noting that this has occasionally happened in past data breaches.

“But considering the type of data that’s been exfiltrated, it is – from our professional experience – unlikely that these will appear, because there is no strong commercial value to these types of data.”

Source: https://www.gov.sg/news/content/channel-newsasia—singhealth-cyberattack-what-you-need-to-know

What can you do with the “basic demographic data”???

With your name, NRIC number and date of birth, a hacker/identity thief can do a lot of things with the three pieces of information.  The most disturbing statements released by Cyber Securtiy Agency Chief Executive David Koh are “the stolen information are “basic demographic data” and “there is no strong commercial value to these types of data”

I am not an information technology/computer science qualified/certified expert, however, with my current IT knowledge, strong interest and coverage in technology stuff  since I started learning about computers and technology (on the B2C and B2B levels), the stolen “basic demographic data” are now at the mercy of other people who can/might make use of our data at our expense and well being, for their greed and exploitation.

What do I need to do or take note of if I am one of the 1.5million people whose personal data was breached?

Paul Ducklin, Senior Technologist at Sophos said, “The data stolen in this breach is an identity thief’s goldmine. It’s a startling reminder to all Singaporeans that there is no such thing as ‘cyber attackers would never care about little old me’ – once your data is scooped up in a cybersecurity blunder of this sort, you simply can’t control where it will go next. Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cybercrooks.”

Ducklin recommends:

  1. Keep a careful watch over all your financial statements – bank accounts, payment cards, loans, pension funds, taxation records and so on. Report any suspicious activity immediately. (But please read points 3 and 4 below!)
  2. Talk to your financial institutions about locking down account details in order to make it harder for cyber criminals to try to take over your accounts or to apply for services in your name.
  3. Be especially suspicious of unsolicited communications that arrive in the wake of this breach offering any sort of help or asking for further details “to assist in the investigation.” Social engineers and scammers are experts at preying on people’s fears (and their willingness to help) after security incidents of this sort.
  4. If you need help or advice on what to do next, don’t use contact information, web links or phone numbers that were sent to you online – look for contact information on existing invoices, on printed correspondence you received in the past, or by visiting an organisation’s office in person.

“Whether this was a lone hacker who got lucky, a well-oiled cybercrime gang or a state-sponsored attack team won’t get your personal data back, and it won’t change the fact that you can’t control who gets it next. Keep your own eyes open for any attempt to abuse your personal data in the future,” says Ducklin.

A big thank you to Paul Ducklin, Senior Technologist at Sophos for this commentary and Lewis PR for sharing this valuable pieace of commentary that allows me to share this invaluable piece of advice for all the 1.5million people affectd by this serious data breach.

There have been a number of sharing, thoughts and views on the recent SingHealth cyber attack issue.

Fellow technology blogger, Zit Seng wrote and shared his thoughts and views on the SingHealth data breach, you can read his them below, it’s definitely worth a read –

Split Milk and SingHealth Data Breach – https://zitseng.com/archives/16548

SingHealth Data Breach is Serious – https://zitseng.com/archives/16534

Don’t miss mrbrown (the Blogfather of Singapore) YouTube video and podcast on the SingHealth cyber attack issue!

Kim Huat Thought of the Day – Cyber Security YouTube video – https://www.youtube.com/watch?v=NxolUCsAu2s

The mrbrown Show: cyber army songs – https://anchor.fm/mrbrown/episodes/the-mrbrown-show-cyber-army-songs-e1rvr5/a-a4gmvv

At this point in time when I wrote and published this article, this SingHealth data breach and cyber attack issue had generated quite a lot of talk, discussion on social media platforms and internet, some were pointing fingers, bashing and scolding the government, some voiced their concerns and disappointments. On Calvin Cheng FB page, he wrote a post that I felt that he wrote valid observation points for all to read, view and understand.

It’s easy to point fingers, scold and blame people and let’s not get too carried away. Health Minister Gan Kim Yong had apologised during the multi-ministry press conference and the government is taking action on reviewing and improving cyber security. Although I am still not pleased with Cyber Security Agency Chief Executive words used during the press conference.

On a macro level, the government is doing their part, I reckon they have a lot of work to do and improve on their cybersecurity. While on a micro level, we all have a part to play too, our own personal cyber security, wheter it is your own personal data, social media accounts, emails etc etc.

We all can learn some invaluable lessons from this cyber attack and data breach, on both macro and micro level of things, not just for the government, everybody down on the ground level, has a part and can play a part on personal cyber security. I hope the above commentary sharing by Paul Ducklin, Senior Technologist at Sophos would be useful for all to learn and implement your own personal cyber security measures.

Cyber attacks happen before, it will not stop or go away in the future, it might/will still happen in the future. Therefore, let’s not let our guard down and always be alert and mindful of our own personal cyber security measures.

Links to SingHealth Cyber Attack articles and related medical records articles

https://www.straitstimes.com/singapore/method-of-attack-showed-high-level-of-sophistication

https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most

Your medical record is worth more to hackers than your credit card http://reut.rs/1uomzzv

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.