Singapore Public Sector Reports Yet Another Security Lapse

Following a spate of security breaches affecting healthcare patients in the country, another Singapore public sector agency has reported that personal information of 808,201 blood donors was left vulnerable after a third-party vendor failed to securely protect a server containing the data. The database had contained registration-related information such as donors' name and national identification number and, in some instances, blood type and weight. 

The external contractor, Secur Solutions Group, was provided the data for updating and testing and stored the information in a web-connected server on January 4 this year, according to the Health Sciences Authority (HSA), which was made aware of the security hole on March 13.

The Singapore government agency said in a statement on Friday that a cybersecurity expert had uncovered the vulnerability and alerted the Personal Data Protection Commission (PDPC). The health agency said one of Secur's servers had contained the database, but "was not adequately safeguarded against access over the internet" and the vendor had failed to implement adequate measures to prevent unauthorised access. 

It added that the system did not contain other medical or contact information. 

A police report was made and the access to the database was disabled, HSA said. It noted that the cybersecurity expert who reported the vulnerability had said he would not publish the contents in the database and was working with the agency on deleting the data.

Citing preliminary findings and its review of the database logs, HSA said no other unauthorised individual had accessed the database. 

HSA CEO Mimi Choong apologised for the security lapse and said the agency was stepping up checks and monitoring its vendors. 

In a note to donors, it said Secur's failure to properly secure its server was "done without HSA's knowledge and approval" and "contrary to its contractual obligations" with the agency. 

This incident follows a spate of data security breaches in recent months that saw the personal information of 1.5 million SingHealth patients and 14,200 individuals with HIV compromised. 

In a reply to a public member earlier this month, the PDPC said it currently was reviewing the country's Personal Data Protection Act to "keep pace" with the needs of businesses and individuals. Its proposed updates included a mandatory breach notification regime, However, it also noted that the public sector was not governed by the PDPA and was, instead, separately regulated by the Public Sector (Governance) Act. 

RELATED COVERAGE

SingHealth data breach reveals several 'inadequate' security measures

Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.

Hacker group behind SingHealth data breach identified, targeted mainly Singapore firms

Hackers that compromised the data of 1.5 million healthcare patients have been identified as a group that launched attacks against several organisations based in Singapore, including multinational firms with operations in the country, and is likely part of a larger operation targeting other countries and regions.

Singapore proposes new security guidelines to beef up financial resilience

Monetary Authority of Singapore is looking to introduce changes to existing technology risk and business continuity management guidelines that will require financial organisations to implement more measures, including cyber surveillance, to boost operational resilience.

Singapore moots inclusion of data portability in data protection law

Government unveils plans to include a framework, as part of a review of the country's Personal Data Protection Act, that aims to ease data flow between service providers while giving consumers "greater control" over their own data.

Key takeaways from Singapore healthcare data breach

No system is infallible and cybersecurity breaches are inevitable, but Singapore needs to do better in mitigating the risks and following through on its pledge to safeguard citizen data.

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more