igor - Fotolia
Personal data of 1.5 million citizens, including prime minister Lee Hsien Loong, has been stolen from a government health database in Singapore in a “deliberate, targeted and well-planned attack”, according to health ministry.
Those affected visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, but while data includes names, addresses, gender and date of birth, no medical records were involved apart from details of medicines dispensed to about 160,000 patients, the health ministry said in a statement.
According to the statement, no records were amended or deleted and no other patient records, such as diagnosis, test results or doctors’ notes, were breached, but that the attackers “specifically and repeatedly” targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.
The Cyber Security Agency of Singapore said its investigation shows that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation.
They subsequently managed to obtain privileged account credentials to gain privileged access to the database, the agency said, adding that upon discovery, the breach was immediately contained, preventing further loss of data.
As part of government moves to tighten the security of SingHealth’s IT systems, no computers used for health IT system are being allowed to access the internet, additional controls have been placed on workstations and servers, user and systems accounts have been reset, and additional system monitoring controls have been installed.
Similar measures are being put in place for IT systems across the public healthcare sector against this threat, the government said.
Fraser Kyne, European chief technology officer at Bromium, said the breach is “very serious” given the sensitivity of the data accessed and the sheer volume of records involved.
“This breach once again highlights how today’s cyber security is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down.
“Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers,” he said. “The simple fact is that if the endpoint was isolated, the hacker would have had nowhere to go and nothing to steal.”
The incident also highlights the fact that networks and endpoints can no longer be trusted, said Kyne, because attackers will inevitably find a way in.
“Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business critical application. Instead, we need to shrink protection to application level.
“By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network,” he said.
Javvad Malik, security advocate at AlienVault, said the breach drives home the importance for all companies across all verticals, particularly those which deal with personal data of any kind, to have effective threat detection and incident response controls in place so any such breaches can be detected quickly and stopped from turning into a large incident.
James Hadley, CEO and founder of Immersive Labs, said a breach of any type can never be underestimated.
“However, as this incident has resulted in the loss of health records, the consequences could be devastating for individuals.
“It is no longer acceptable to stick with traditional means of security and leave the protection of data down to those seen to be elite in the field.
“Every organisation, from businesses to hospitals, must create a cyber-skilled workforce to ensure they are ahead of the bad guys and make breaches like this more difficult to come by,” he said. “Taking on cyber security skills at this kind of scale should be a major priority.”