SINGAPORE (Jan 21): In the Commission of Inquiry (COI) into the most severe data breach in Singapore’s history, Ernest Tan, manager at IHiS, the IT arm of the Ministry of Health, revealed he was reluctant to inform his superiors about cyber attack.

Tan, whose job it was to report security incidents and respond accordingly, was worried about the attendant stress and having to work overtime, telling the commission: “Once we escalate to management, there will be no day, no night.”

Tan was fired from his job on Jan 14. IHiS also fined seven members of its management, including CEO Bruce Liang, “for their collective leadership responsibility”. Meanwhile, Wee Jia Huo, the cluster information security officer specifically responsible for cybersecurity in SingHealth, will be demoted and redeployed.

Separately, the Personal Data Protection Commission fined IHiS $750,000 and SingHealth $250,000 for breaching their obligations under the Personal Data Protection Act.

In a statement, PDPC said it found that SingHealth personnel responsible for such security incidents were unfamiliar with how to respond to a breach, were overly dependent on IHiS and failed to understand the significance of the information that IHiS provided on the incident.

The COI also noted the “considerable initiative” shown by officers on the frontline, but was scathing about the managers’ failures. “It is a shame that such initiative was then smothered by a blanket of middle management mistakes,” it said.

Indeed, Tan’s reporting officer’s statement noted that the person who sounds the alarm “may look bad” should it turn out to be false. This effectively translates into a general reluctance to stick one’s neck out or speak up for fear of reprisal, even if a situation warranted an alert.

This is not the first time that “culture” has been highlighted in the context of public organisations’ encountering problems. In 2017, national rail operator SMRT grappled with severe disruptions, which resulted in commuter outrage and a public inquiry.

Among the issues that contributed to the disruptions was flooding in train tunnels because employees failed to conduct regular inspections, even though they reported doing so.

So what is “culture” in the context of these organisations? And why does it matter?

Login to read the full story at “Culture matters”, which is in this week’s issue of The Edge Singapore (Issue 865). Get your copy at newsstands today or click here to subscribe.