SINGAPORE (Dec 28): Industry experts and organisations say attacks and data breaches are all but inevitable. In fact, by year-end, it would be hard to find someone who has not had at least one piece of personal information — whether name, gender, address or credit card number — stolen or exposed.

In Singapore, the largest breach the country has seen occurred in July, when the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong, was stolen from the SingHealth database.

As the nation reeled from the discovery, questions were asked about the timeline of the incident, specifically why it took the Ministry of Health so long to publicly disclose the breach. The breach took place on June 27 and was discovered on July 4. But the public was only informed on July 20.

Furthermore, statements made by the head of the Cyber Security Agency of Singapore, David Koh — that the information stolen, including names, dates of birth, National Registration Identity Card numbers, was only “basic demographic data” — were even more puzzling. On July 24, the Monetary Authority of Singapore issued an advisory to banks, asking them to tighten their customer verification process in the light of the breach.

More details of the breach have emerged as the government convened a Committee of Inquiry (COI) to look into the event. Significantly, the main cause of the lengthy lapse between the breach and the alert to the Cyber Security Agency (CSA) of Singapore was the reluctance of Integrated Health Information Systems senior manager Ernest Tan to report the suspicious network activity to his superiors. IHiS manages and integrates Singapore’s healthcare IT systems.

During a hearing on Oct 31, Tan said he felt there would be “no day, no night” for him and his colleagues once the matter was reported, meaning they would likely be working around the clock to provide information and updates to their superiors.

The COI also heard there was doubt over the ownership of the healthcare database, which meant the management of it was unclear. Also, the database had not been tested for vulnerabilities despite it being considered part of critical information infrastructure. And, there was no formal protocol for IHiS staff to follow in the event of a cyberattack.

“The culture in the region is not to report bad news unless [you] have to. Now, what you are seeing is the impact of laws and regulations as they roll into the region,” says Barry Greene, principal architect at content delivery network Akamai Technologies, “My personal experience is that I see tons of nasty stuff in the region; it just hasn’t been talked about.”

Subscribers can log in and read the story <span><a href="https://www.theedgesingapore.com/print-edition/securing-your-data-only-going-get-more-challenging" target="_blank">Securing your data is only going to get more challenging</a></span> here. Or click <a href="https://www.theedgesingapore.com/subscribe" target="_blank">here</a> to subscribe.

Complacency, organisational inertia the new virus

Qarbotech named winner of inaugural EQT Impact Challenge

MSCI boss warns of climate risks

Keppel to acquire 50% stake in European asset manager Aermont Capital for up to $517 mil

Local banks 'resilient' in 2023, but MAS warns of deteriorating asset quality, climate transition risks

The new kings and queens of content

Broker's digest: IHH Healthcare, FLCT, Boustead Singapore, BRC Asia, Starhill Global REIT, MPACT, Kimly

Cultural challenges in business diplomacy with China

Benign STI seen as investors pivot to foreign markets, growth stocks

Complacency, organisational inertia the new virus

Related News

Highlights

Qarbotech named winner of inaugural EQT Impact Challenge

Related News

Keys to becoming cyber resilient for healthcare organisations

Gearing up for a generative AI-driven future

How to reduce and manage cyber risks during M&As