Huge Singapore data breach shows need for new approach

Personal data of 1.5 million citizens, including prime minister Lee Hsien Loong, has been stolen from a government health database in Singapore in a “deliberate, targeted and well-planned attack”, according to health ministry.

Those affected visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, but while data includes names, addresses, gender and date of birth, no medical records were involved apart from details of medicines dispensed to about 160,000 patients, the health ministry said in a statement.

According to the statement, no records were amended or deleted and no other patient records, such as diagnosis, test results or doctors’ notes, were breached, but that the attackers “specifically and repeatedly” targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.

The Cyber Security Agency of Singapore said its investigation shows that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation.

They subsequently managed to obtain privileged account credentials to gain privileged access to the database, the agency said, adding that upon discovery, the breach was immediately contained, preventing further loss of data.

As part of government moves to tighten the security of SingHealth’s IT systems, no computers used for health IT system are being allowed to access the internet, additional controls have been placed on workstations and servers, user and systems accounts have been reset, and additional system monitoring controls have been installed.

Similar measures are being put in place for IT systems across the public healthcare sector against this threat, the government said.

Fraser Kyne, European chief technology officer at Bromium, said the breach is “very serious” given the sensitivity of the data accessed and the sheer volume of records involved.

“This breach once again highlights how today’s cyber security is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down.

“Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers,” he said. “The simple fact is that if the endpoint was isolated, the hacker would have had nowhere to go and nothing to steal.”

The incident also highlights the fact that networks and endpoints can no longer be trusted, said Kyne, because attackers will inevitably find a way in.

“Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business critical application. Instead, we need to shrink protection to application level.

“By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network,” he said.