Singapore’s much vaunted cybersecurity defenses were overcome in a data breach that compromised the personal data of over a quarter of the Southeast Asian nation’s population.
Personal data of 1.5 million patients were stolen in the largest data breach ever in Singapore’s history. Singapore recently scored 0.925 in the cybersecurity ranking by the International Telecommunication Union, a United Nations agency.
“It’s breaking news for a country like Singapore, and definitely it warranted a lot of scrutiny,” said Eugene Lee, business development officer for Connectivity Global, a Singaporean-South Korean cybersecurity start-up.
“Hackers are becoming more sophisticated, and most email security products are no longer able to catch these attacks.”
A preliminary investigation indicates that malware downloaded through a compromised website or a phishing email at a front-end workstation led to the breach. The malware allowed the hackers to use account credentials – user names and passwords – to gain access to the SingHealth database.
The names, identity numbers, address, gender, race and date of birth of patients who visited SingHealth clinics between May 1, 2015 and July 4, 2018 were compromised. Even the personal data and prescription information of the Prime Minister, Lee Hsien Loong, was exposed.
It was on July 4 that administrators of the Integrated Health Information Systems detected unusual activity in one of the databases. Eventually it was determined that the attack was not the work of casual hackers or criminal gang. It was a “deliberate, targeted and well planned” attack, The Straits Times reported.
The breach highlighted the fact that the best technology cannot stop a breach if a user unwittingly lets in a hacker.
“Not all people in the organization are tech savvy, especially those at the front end,” Lee said.
“As long as somebody in the company clicks on links they find in their email, the system can be compromised.”
Guarding against such attacks could be tricky as the malware comes from communication from people users know – or think they know.
“If I receive an email from somebody I know, and I am not alert, or I could just be tired, I immediately click on the link or attachment,” Lee said.
The breach dents Singapore’s reputation as a cybersecurity leader and shows that email security remains a top, continuing concern in businesses and organizations worldwide.
The next generation of email security products, Lee said, use AI and machine learning to guard against different modes of malware delivery and user behavior to protect systems against attacks.
A Committee of Inquiry has been formed to investigate the SingHealth breach.