SINGAPORE (Dec 28): Industry experts and organisations say attacks and data breaches are all but inevitable. In fact, by year-end, it would be hard to find someone who has not had at least one piece of personal information — whether name, gender, address or credit card number — stolen or exposed.

In Singapore, the largest breach the country has seen occurred in July, when the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong, was stolen from the SingHealth database.

As the nation reeled from the discovery, questions were asked about the timeline of the incident, specifically why it took the Ministry of Health so long to publicly disclose the breach. The breach took place on June 27 and was discovered on July 4. But the public was only informed on July 20.

Furthermore, statements made by the head of the Cyber Security Agency of Singapore, David Koh — that the information stolen, including names, dates of birth, National Registration Identity Card numbers, was only “basic demographic data” — were even more puzzling. On July 24, the Monetary Authority of Singapore issued an advisory to banks, asking them to tighten their customer verification process in the light of the breach.

More details of the breach have emerged as the government convened a Committee of Inquiry (COI) to look into the event. Significantly, the main cause of the lengthy lapse between the breach and the alert to the Cyber Security Agency (CSA) of Singapore was the reluctance of Integrated Health Information Systems senior manager Ernest Tan to report the suspicious network activity to his superiors. IHiS manages and integrates Singapore’s healthcare IT systems.

During a hearing on Oct 31, Tan said he felt there would be “no day, no night” for him and his colleagues once the matter was reported, meaning they would likely be working around the clock to provide information and updates to their superiors.

The COI also heard there was doubt over the ownership of the healthcare database, which meant the management of it was unclear. Also, the database had not been tested for vulnerabilities despite it being considered part of critical information infrastructure. And, there was no formal protocol for IHiS staff to follow in the event of a cyberattack.

“The culture in the region is not to report bad news unless [you] have to. Now, what you are seeing is the impact of laws and regulations as they roll into the region,” says Barry Greene, principal architect at content delivery network Akamai Technologies, “My personal experience is that I see tons of nasty stuff in the region; it just hasn’t been talked about.”

So what more can be expected in 2019?

Subscribers can log in and read the story Securing your data is only going to get more challenging here. Or click here to subscribe.