The largest data breach to have occurred on our shores took place between June 27 and July 4. The cyber attack on SingHealth’s database saw personal particulars; like NRIC numbers, names and addresses of 1.5 million patients copied and exported unlawfully (remember the SMSes from SingHealth?). Among the 1.5 million patients was PM Lee who also had his personal details and prescription records stolen. A four member Committee of Inquiry (COI) was formed to investigate the incident and will conduct hearings that is expected to last until October 5.
The million data question: How did it happen?
Apparently, the cyber-attack occurred over a span of 10 months until it was discovered in June. SingHealth’s cyber attacker initially entered its healthcare network by using a publicly available hacking tool, gaining access to a workstation in one of SingHealth’s hospitals. That workstation was particularly vulnerable because its systems were too outdated to address the use of the hacking tool.
From December to May 2017, the attacker used the infected workstation to spread the malware across computers in the network. The hacker’s main objective was to breach into SingHealth’s electronic medical records (EMR) system, one of Singapore’s critical information infrastructure. From May to June 2018, the attacker entered the EMR database by exploiting an inactive administrator account.
This was where the lapses were exposed. Firstly, the link to the EMR database that the inactive administrator account had was supposed to be decommissioned, yet it was not. Even then, there were records of multiple attempts to access this link prior to the data breach. Secondly, the staff in charge of SingHealth’s Integrated Health Systems (iHiS) was aware of unauthorized access attempts on its networks from mid-June 2018, but only reported it on the night of July 9. Despite shutting down the infected servers and changing passwords, the COI deemed these moves “piecemeal and inadequate”. Not to mention, the Cyber Security Agency found that the password for one of the administrator accounts – p@ssword – was easily deciphered. Even then, the COI noted that “this was a highly sophisticated and persistent attack, planned and executed with patience”.