In yet another example of the risks of supply chain vulnerabilities, Singapore’s Ministry of Defence (Mindef) recently disclosed that the confidentiality of its personnel’s personal data could have been compromised by malware incidents that affected two of its suppliers.
In December 2019, Mindef said malware incidents involving HMI Institute and ST Logistics had affected their systems containing personal data of Mindef and Singapore Armed Forces (SAF) personnel.
HMI Institute was contracted by the SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training since 2016, while ST Logistics provides logistics services to the military. Both vendors were provided with personal data of Mindef and SAF personnel needed for the provision of their operations.
For the HMI Institute incident, their affected system contained personal data of 120,000 individuals. This includes the full names and identity card numbers of about 98,000 Mindef and SAF personnel. Preliminary investigations indicate that the likelihood of data leak to external parties is low.
For the ST Logistics incident, their affected systems contained full names and identity card numbers, and a combination of contact numbers, email addresses or residential addresses of about 2,400 Mindef and SAF personnel. Preliminary investigations indicate that the personal data could have been leaked.
Supply chain attacks have long been a concern in cyber security circles, since it can be difficult for organisations to enforce or prescribe specific cyber security measures for suppliers and partners – beyond broad service level agreements.
SME suppliers are particularly vulnerable, since they may not have dedicated IT departments, let alone security teams to fend off cyber adversaries.
So, what can organisations do? For now, there are few standards that address cyber security issues related to the supply chain. The Payment Card Industry Data Security Standard (PCI DSS) is one of them. It not only offers vendor management guidelines, but also specifies safeguards such as the use of encryption.
Organisations should also put in place a vendor management programme that includes identifying the most important vendors and requiring strict documentation of controls and processes. The programme should also be integrated with an organisation’s compliance practices.
As for SME suppliers, the Singapore government has been working with industry bodies to promote awareness of cyber security among smaller firms. But it is uncertain if these awareness programmes have the intended effect, going by the data breaches that continue to make headlines.