Following a spate of security breaches affecting healthcare patients in the country, another Singapore public sector agency has reported that personal information of 808,201 blood donors was left vulnerable after a third-party vendor failed to securely protect a server containing the data. The database had contained registration-related information such as donors’ name and national identification number and, in some instances, blood type and weight.
The external contractor, Secur Solutions Group, was provided the data for updating and testing and stored the information in a web-connected server on January 4 this year, according to the Health Sciences Authority (HSA), which was made aware of the security hole on March 13.
The Singapore government agency said in a statement on Friday that a cybersecurity expert had uncovered the vulnerability and alerted the Personal Data Protection Commission (PDPC). The health agency said one of Secur’s servers had contained the database, but “was not adequately safeguarded against access over the internet” and the vendor had failed to implement adequate measures to prevent unauthorised access.
It added that the system did not contain other medical or contact information.
A police report was made and the access to the database was disabled, HSA said. It noted that the cybersecurity expert who reported the vulnerability had said he would not publish the contents in the database and was working with the agency on deleting the data.
Citing preliminary findings and its review of the database logs, HSA said no other unauthorised individual had accessed the database.
HSA CEO Mimi Choong apologised for the security lapse and said the agency was stepping up checks and monitoring its vendors.
In a note to donors, it said Secur’s failure to properly secure its server was “done without HSA’s knowledge and approval” and “contrary to its contractual obligations” with the agency.
In a reply to a public member earlier this month, the PDPC said it currently was reviewing the country’s Personal Data Protection Act to “keep pace” with the needs of businesses and individuals. Its proposed updates included a mandatory breach notification regime, However, it also noted that the public sector was not governed by the PDPA and was, instead, separately regulated by the Public Sector (Governance) Act.
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Hackers that compromised the data of 1.5 million healthcare patients have been identified as a group that launched attacks against several organisations based in Singapore, including multinational firms with operations in the country, and is likely part of a larger operation targeting other countries and regions.
Monetary Authority of Singapore is looking to introduce changes to existing technology risk and business continuity management guidelines that will require financial organisations to implement more measures, including cyber surveillance, to boost operational resilience.
Government unveils plans to include a framework, as part of a review of the country’s Personal Data Protection Act, that aims to ease data flow between service providers while giving consumers “greater control” over their own data.
No system is infallible and cybersecurity breaches are inevitable, but Singapore needs to do better in mitigating the risks and following through on its pledge to safeguard citizen data.