Thursday, 10 January 2019

Committee of Inquiry on SingHealth cyber attack public report; IHiS sacks 2 employees, imposes financial penalty on CEO

Probe report on SingHealth data breach points to basic failings
COI releases key findings on cyber attack, and makes 16 recommendations with priority for 7
By Irene Tham, Senior Tech Correspondent, The Straits Times, 10 Jan 2019

Staff who fell prey to phishing attacks. Weak administrator passwords. Not applying a patch that could have stopped the hacking. And an IT cyber-security team that could not even recognise a security incident.

These were among the basic failings that opened the door to Singapore's worst data breach, according to the public report by a high-level panel tasked to probe last June's cyber attack on SingHealth.

And such lax cyber-security practices were no match for the sophisticated cyber attackers, believed to be state-linked. In fact, the Singapore authorities contacted foreign law enforcement agencies for information on the users behind servers linked to the attack.

The 453-page report also offers 16 recommendations - seven of them classified as "priority" - to shore up defences at organisations responsible for critical information infrastructure (CII) systems.

Among other things, CII owners including SingHealth must set rules, to be reviewed at least once a year, to protect their systems against cyber-security threats.

All administrators must use two-factor authentication, and the use of passphrases instead of passwords should be considered. The industry and the Government should also share threat intelligence.

One key recommendation is that SingHealth appoint its own cyber-security "risk man" rather than rely solely on its IT management vendor, Integrated Health Information Systems (IHiS), for such oversight.

At present, all the domain expertise and resources to detect and manage cyber-security risks lie with IHiS, which the Committee of Inquiry (COI) said is "difficult to sustain" in the long run.

The report also provides a blow-by-blow account of the events that led to the cyber attack.

Despite the attackers being sophisticated, the COI said, the data breach could have been averted if not for "a blanket of middle-management mistakes" at IHiS, Singapore's central IT agency for the healthcare sector.

For instance, a middle manager of cyber security at IHiS had misconceptions of what constitutes a cyber-security incident, and delayed reporting the network intrusions for fear that additional pressure would be put on him and his team.

Also, the key technology "risk man" at IHiS - cluster information security officer Wee Jia Huo - displayed "an alarming lack of concern" when it was clear that a critical system had been potentially breached.

These lapses contributed to successful data exfiltration from SingHealth's electronic medical records system from June 27 to July 4 last year. Hackers stole the personal data of 1.5 million patients and the outpatient prescription details of 160,000 people, including Prime Minister Lee Hsien Loong.

"The attacker had a clear goal in mind, namely, the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients," the report said.

But it also noted: "The attacker was stealthy but not silent, and signs of the attack were observed by IHiS' staff. Had IHiS' staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives."

Organisational culture was to blame for some of the missteps.

"One must not lose sight of the fact that the treatment of cyber-security issues and incidents by staff and middle management is very much shaped by organisational culture," wrote the COI, chaired by retired judge Richard Magnus.

This public report follows the submission of a fuller "top secret" report - detailing the attacker's identity and methods, and SingHealth's system vulnerabilities - to Minister-in-charge of Cyber Security S. Iswaran on Dec 31 last year. The fuller report is not published for national security reasons.

Responding to the public report, Professor Ivy Ng, SingHealth group chief executive officer, said: "Since the incident, we have reinforced the culture of personal ownership of cyber defence so that every staff is empowered to identify and report cyber-security threats."

Mr Bruce Liang, IHiS chief executive officer, said: "We will... do our utmost to drive change throughout our organisation, with patient well-being as our priority."

COI on SingHealth cyber attack: 5 key findings
A high-level panel investigating the cyber attack on SingHealth in June last year recounts in a report released yesterday the factors that led to Singapore's worst data breach.
By Irene Tham, Senior Tech Correspondent, The Straits Times, 10 Jan 2019


Staff of Integrated Health Information Systems (IHiS) lacked cyber-security awareness, training and resources to respond effectively to the attack.

But several of its junior staff - including system engineer Benjamin Lee - showed considerable initiative in spotting and reporting suspicious network activities.

They, however, could not identify that a sophisticated cyber attack was under way and were not familiar with IT security policies.

Similarly, a middle manager of cyber security, Mr Ernest Tan, had misguided views of what constituted a security incident.


Key cyber-security staff at IHiS failed to take necessary action to prevent the data breach. Cluster information security officer Wee Jia Huo learnt of the suspicious network activities in June. But the key technology "risk man" did not take steps to understand them. The report said he showed "an alarming lack of concern" although by July 4, it was clear a critical system had potentially been breached.

Mr Wee's job was to decide if upper management should be alerted about incidents, but he abdicated this responsibility to Mr Tan in this case. Mr Tan delayed reporting it, fearing extra pressure on his team.


Vulnerabilities and misconfigurations in SingHealth's network and systems contributed to the data breach. The attacker exploited an open link between servers in Singapore General Hospital and the electronic medical records (EMR) system.

The temporary link for database migration to a new cloud-based system was not shut down after the migration was completed.

An unaddressed coding vulnerability in the EMR software supplied by Allscripts Healthcare Solutions was likely exploited by the attacker to obtain credentials "and cross the last mile" to access patient records, said the report.


The attackers were skilled, sophisticated and likely to be state-sponsored.

They established multiple footholds in SingHealth's network, enabling them to execute commands from another compromised server on July 19, even as investigations into their earlier breach were under way.

The earlier breach was carried out over 10 months, primarily targeting the personal and outpatient medication data of Prime Minister Lee Hsien Loong.


While systems will never be breach-proof, the attackers would have found it harder to achieve success had the identified vulnerabilities and misconfigurations been fixed, the report said.

Also, if IHiS had trained its staff to take appropriate action, the attackers could have been stopped and the breach averted, it added.

Profile of the attacker
By Hariz Baharudin, The Straits Times, 10 Jan 2019

The Committee of Inquiry agrees with the Cyber Security Agency's assessment that the cyber breach was carried out by a skilled and sophisticated attacker bearing the characteristics of an Advanced Persistent Threat (APT) group, based on evidence during the hearings. APT refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns to steal data or disrupt operations. They are known to be extremely persistent in finding ways to get into a network or system once a target has been identified.


The attacker was focused on accessing and stealing the personal and outpatient medication data of Prime Minister Lee Hsien Loong and other patients.

Its actions were targeted and specific, and they compromised only selected computers needed to access, copy and transfer data.


Techniques used by the attacker include customised and stealthy malware. It also found and exploited various vulnerabilities in SingHealth's IT network and electronic medical records system.

Apart from evading detection for nearly 10 months, the attacker also covered its tracks by deleting logs in compromised workstations and servers.


The attack was carried out over more than 10 months, involving multiple attempts at accessing patients' records using various methods.

Even after the attack was stopped on July 4, the attacker re-entered the system on July 19 through an earlier established foothold and tried to regain control over the network.


It had the capability to develop customised tools and showed a wide range of technical expertise.

COI on SingHealth cyber attack: 16 recommendations
By Hariz Baharudin, The Straits Times, 10 Jan 2019

In addition to the five key findings on the SingHealth data breach, the Committee of Inquiry that investigated Singapore's worst cyber attack made 16 recommendations.

These are aimed at enhancing responses to similar incidents, better protecting SingHealth's database against similar attacks and reducing the risk of such cyber attacks on public sector IT systems with large databases of personal data. They are grouped into two categories: seven priority recommendations and nine additional recommendations.


1 An enhanced security structure and readiness must be adopted by the Integrated Health Information Systems (IHiS) and public health institutions.

- Cyber security has to be seen as a risk management issue, and not just a technical issue, where decisions are made at the appropriate management level.

- IHiS, Singapore's central IT agency for the healthcare sector, has to take an approach where security is not dependent on just one line of defence.

Gaps between policy and practice must be addressed.

2 Online security processes must be reviewed to assess their ability to defend and respond to advanced threats.

- Effectiveness of current processes must be reviewed to fill gaps used by the attacker.

3 Staff awareness on cyber security must be improved, to better prevent, detect and respond to security incidents.

- The level of cyber hygiene among users must improve.

- A security awareness programme should be implemented to reduce organisational risk.

- IT staff must be equipped with sufficient knowledge to recognise the signs of a security incident.

4 Enhanced security checks must be performed, especially on critical information infrastructure (CII) systems.

- Vulnerability assessments, safety reviews and certification of vendor products must be done.

5 Privileged administrator accounts must be subject to tighter control and greater monitoring.

- An inventory of administrative accounts should be created to keep track of them.

- All administrators must use two-factor authentication (2FA) when doing administrative tasks.

- Passphrases, instead of passwords, could be used. Password policies must be implemented and enforced.

- Server local administrator accounts must be centrally managed.

- Privileged service accounts must be managed and controlled.

6 Improve incident response processes for a more effective response to cyber attacks.

- Response plans must be tested frequently to ensure effectiveness.

- A balance must be struck between containment, remediation and eradication, and the need to monitor an attacker and preserve critical evidence.

- Information needed to investigate an incident must be available.

- An Advanced Security Operation Centre or Cyber Defence Centre should be established to improve the ability to detect and respond to intrusions.

7 There should be partnerships between the industry and the Government to achieve a higher level of collective security.

- Threat intelligence sharing should be enhanced.

- Partnerships with Internet service providers should be strengthened.

- Apply behavioural analytics.


8 IT security risk assessments and audit processes must be treated seriously and carried out regularly.

- IT security risk assessments must be conducted on CII and mission-critical systems annually and upon specified events.

- Audit action items must be remediated.

9 Enhanced safeguards must be put in place to protect electronic medical records.

- A clear policy on measures to secure confidentiality, integrity and accountability of electronic medical records must be formulated.

- Have real-time monitoring of databases with patient data.

- End-user access to electronic health records should be made more secure.

- Controls must be put in place to better protect against data theft.

10 Domain controllers must be better secured against attacks.

- Operating system for domain controllers must be more regularly updated to protect them against the risk of cyber attack.

- Limit log-in access and require 2FA for administrative access.

11 A robust patch management process must be implemented to address security vulnerabilities.

- Formulate and implement a clear policy on patch management.

12 A software upgrade policy with focus on security must be implemented to increase cyber resilience.

- A proper governance structure must be in place to make sure policy is adhered to.

13 An Internet access strategy that minimises exposure to external threats should be implemented.

- Internet access strategy should be considered afresh.

- The healthcare sector should consider the benefits and drawbacks of Internet surfing separation and Internet isolation technology, and put in place mitigating controls to address the residual risks.

14 Incident response plans must more clearly state when and how a security incident is to be reported.

- It must clearly state that an attempt to compromise a system is a reportable security incident, and include examples as well as indicators of an attack.

15 Competence of computer security incident response personnel must be significantly improved.

- A competent and qualified security incident response manager, who understands and can execute the required roles and responsibilities, must be appointed.

16 A post-breach independent forensic review of the network, all endpoints and the electronic medical records system should be considered.

- IHiS should consider working with experts to ensure no traces of the attacker are left behind.

* IHiS sacks 2 employees, slaps financial penalty on CEO over lapses in SingHealth cyber attack
By Irene Tham, Senior Tech Correspondent, The Straits Times, 15 Jan 2019

The technology agency pulled up for its lapses in last June's cyber attack on SingHealth has fired two employees and imposed "significant financial penalty" on five members of its senior management team, including its chief executive.

In a statement yesterday, the Integrated Health Information Systems (IHiS), the central IT agency responsible for Singapore's healthcare sector, said: "IHiS takes a serious view of the incident and the need for accountability."

The cyber attack resulted in the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong, being stolen by hackers, and the lapses by IHiS were highlighted by a high-level panel that probed the incident.

The disciplinary action follows the release of a 453-page public report last week by the Committee of Inquiry (COI) probing the incident.

Yesterday, IHiS said that two individuals found to be negligent during the data breach will have their services terminated.

One was a team lead in the infrastructure systems team. While he had the necessary technical competencies, his attitude towards security and his set-up of the servers introduced unnecessary and significant risks to the system. The other was a senior manager in charge of cyber security at IHiS. He held a mistaken understanding of what constituted a security incident and when a security incident should be reported.

"His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber attack," said IHiS.

A cluster information security officer will be demoted and redeployed to another role. He was found to have misunderstood what constituted a security incident and failed to comply with IHiS' incident reporting processes.

The disciplinary panel took into account mitigating factors such as his lack of aptitude, which made him unsuitable for the role.

On the financial penalty imposed on five senior management team members, IHiS said this was "for their collective leadership responsibility". The five include CEO Bruce Liang. In addition, two middle-management personnel, who were supervisors of the sacked employees, will bear "moderate" financial penalties.

"The CEO and management team have acknowledged their responsibilities and accepted the penalties. They have committed to leading IHiS to improve our cyber-security defence and preparedness, and rebuild public trust in our healthcare system," IHiS said, adding that three employees were commended for demonstrating resourcefulness in managing the cyber attack.

Mr Paul Chan, chairman of IHiS board, said: "The cyber attack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority."

Human resource experts said financial penalties would likely come in the form of bonus reduction. Singapore Human Resources Institute president Erman Tan said: "This is so that... they see a duty to safeguard personal data.

** Parliament: IHiS, SingHealth fined $1 million; new cyber security steps taken
Healthcare sector looking at tiered Net access to minimise risks in the wake of data breach
By Irene Tham, Senior Tech Correspondent, The Straits Times, 16 Jan 2019

The fallout from the SingHealth data breach continues to reverberate across the healthcare sector, with Singapore's privacy watchdog dishing out hefty fines totalling $1 million against those responsible for the lapse and a slew of cyber security measures being rolled out to safeguard critical systems.

Updating Parliament yesterday on the heels of a detailed report by the high-level Committee of Inquiry (COI) that investigated last June's cyber attack on SingHealth, Singapore's largest healthcare cluster, two ministers acknowledged the shortcomings that had been identified and detailed the steps being taken to rectify them.

Minister-in-charge of Cyber Security S. Iswaran and Minister for Health Gan Kim Yong both said they had fully accepted the report issued last week by the COI.

They also told Parliament that the Personal Data Protection Commission (PDPC) had found both SingHealth and its IT vendor Integrated Health Information Systems (IHiS) guilty of failing to secure patient data. The cyber attack had compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

The COI had noted that SingHealth had delegated its cyber security operations entirely to IHiS and, given the severity of the lapses, the PDPC imposed its largest-ever fine of $750,000 on the technology vendor.

But it stressed that, as the owner of the patient data system, SingHealth also had a responsibility for the breach, and fined it $250,000 - its second-biggest fine to date.

"Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers," said the PDPC.

IHiS had disclosed earlier that it had fired two of its employees who were found to be negligent and imposed financial penalties on five members of its senior management team, including its chief executive.

Yesterday, Mr Gan said that even though the COI had not identified lapses among specific individuals within SingHealth, the healthcare cluster accepted its responsibility for the breach. "The SingHealth senior leadership has accepted a financial penalty," he said.

Mr Iswaran said that the measures recommended by the COI would help Singapore guard against malicious cyber activities, including from international attackers.

"A cyber attack of the scale and sophistication that was launched against SingHealth could also be mounted on any of our major IT systems, threatening the safety and security of Singapore and Singaporeans," he said.

To guard against it, there will be increased automation of the roll-out of software patches, and audits and drills will be intensified. Internet surfing separation and the use of a virtual browser are also in the works for the healthcare sector.

Elaborating on this, Mr Gan said that while temporary Internet surfing separation had been implemented across the public healthcare sector in the wake of the attack, it had posed challenges in areas such as emergency care and tele-consultations.

MOH was now looking at more long-term solutions. It was studying a tiered model of Internet access, in which some job roles might not need it, while for others, it could be managed through the use of separate devices with and without Internet surfing abilities.

In cases where staff like clinicians need access to the Internet and intranet on the same device, MOH is experimenting with using virtual browsers, which allow access to the Internet through strictly controlled client servers.

"This was not the first instances where we were targeted, and it will not be the last," said Mr Iswaran.

He added: "We cannot let incidents like this derail our Smart Nation initiatives that can enhance our economic competitiveness and deliver better public services."

Parliament: 11 critical sectors to shore up defences in response to SingHealth COI report, says Minister-in-charge of Cyber Security S. Iswaran
More security audits, drills in new cyber defence model in response to COI recommendations
By Irene Tham, Senior Tech Correspondent, The Straits Times, 16 Jan 2019

Singapore will intensify the use of technology to automate cyber security tasks such as the roll-out of software patches.

Also, more security audits and drills will be carried out to sharpen public officers' readiness to respond to cyber incidents.

These new measures to shore up the cyber security of public sector systems were disclosed by Minister-in-charge of Cyber Security S. Iswaran in Parliament yesterday.

This new model of cyber defence will be implemented across 11 critical information infrastructure sectors, including healthcare, energy, telecommunications and transport.

The new approach is a response to the recommendations of a high-level Committee of Inquiry (COI) that investigated the cyber attack on SingHealth, Singapore's largest cluster of healthcare institutions.

Mr Iswaran said its findings and recommendations gave "added impetus" to the ongoing efforts of the Smart Nation and Digital Government Group (SNDGG) to improve the cyber security of government systems.

"In particular, the findings reaffirmed the 'defence-in-depth' approach the public sector had adopted towards cyber security."

He added: "The public sector will also continue to strengthen our defences on all fronts - people, process, technology and partnerships, as informed by the COI recommendations."

The recommendations were unveiled last week in a public report that recounted the events that led to June's cyber attack that compromised the personal information of 1.5 million patients,including Prime Minister Lee Hsien Loong.

On the technical front, SNDGG will look at improving the architecture of government systems to allow more extensive monitoring and detection of abnormal activities. It will also continue to introduce measures to better detect and respond to intrusions, and monitor critical databases.

Acknowledging that the Government cannot fortify its cyber security alone, he said it will enlist the help of the larger cyber security community, including ethical hackers.

The Cyber Security Agency of Singapore will oversee and follow up on how the COI recommendations will be carried out in the 11 sectors.

Said Mr Iswaran, who is also Minister for Communications and Information: "The recommended measures will help us defend ourselves better against malicious cyber activities, including from international attackers. This was not the first instance where we were targeted, and it will not be the last."

Mr Vikram Nair (Sembawang GRC) and Mr Cedric Foo (Pioneer) asked about the hackers' identity.

Mr Foo, chairman of the Government Parliamentary Committee for Communications and Information, said: "How about the person who actually broke into the house? There seems to be a vacuum as far as the sense of justice (goes)."

Replying, Mr Iswaran said: "I don't think we should deduce whether we have a sense of justice to just one specific point - that there is no public attribution of the perpetrator."

Citing moves that the Government made in the spirit of transparency, he said Singapore can hold itself up to the best practices and standards. The moves include announcing the cyber attack on July 20 last year, 10 days after it was made known to the Cyber Security Agency of Singapore, and convening a COI and releasing the recommendations and findings.

"I can understand that members have a desire and on behalf of constituents to know this, but I think we have to exercise judgment - what is in our national interest and whether a public attribution serves our best interests. And as I said, we know who the perpetrator is, appropriate action has been taken."

By Hariz Baharudin, The Straits Times, 16 Jan 2019

Committee of Inquiry (COI )

• Following the announcement of the breach, Minister for Communications and Information S. Iswaran, who is also Minister-in-charge of Cyber Security, convened a four-member COI to get to the bottom of the attack.

• In a public report issued last Thursday, the COI identified five key factors that led to the breach.

• It also made 16 recommendations to enhance responses to similar incidents, better protect SingHealth's database against similar attacks and reduce the risk of such cyber attacks on public sector IT systems with large databases of personal data.


• The Personal Data Protection Commission (PDPC), Singapore's privacy watchdog, said yesterday that it has fined Integrated Health Information Systems (IHiS) $750,000 and SingHealth $250,000 for the data breach.

• Both Mr Iswaran and Minister for Health Gan Kim Yong said in Parliament yesterday that the Government accepts the COI's recommendations.

• Mr Iswaran said more technology will be used to automate cyber security tasks. Security audits and drills will be intensified to sharpen public officers' readiness to respond to cyber security incidents.

• A tiered model of Internet access will be in the works for the healthcare sector, said Mr Gan, should a virtual browser solution being tested prove effective.

• Mr Gan added that mandatory contributions to the National Electronic Health Record (NEHR) system will be deferred.

• The Cyber Security Agency of Singapore has instructed all critical information infrastructure (CII) sectors to strengthen network security. It has also designated all CIIs, and their owners must now comply with obligations under the Cyber Security Act.

Integrated Health Information Systems (IHiS)

• IHiS has outlined measures to strengthen cyber security, including two-factor authentication for local administrators. It is also studying the possibility of using a virtual browser solution.

• Two employees of the public healthcare sector's IT vendor, who were found to be negligent during the data breach, have been fired.

• A "significant financial penalty" has been imposed on five members of its senior management team, including its chief executive, Mr Bruce Liang.


• SingHealth is making changes to enhance its cyber security governance structures and improve management oversight of its critical systems. It will also work with IHiS to upgrade its cyber defence systems.

• The SingHealth senior leadership, including its group chief executive Ivy Ng, has voluntarily accepted a financial penalty.

Parliament: Tiered model of Internet access being considered for public healthcare sector, says Minister for Health Gan Kim Yong
By Hariz Baharudin, The Straits Times, 16 Jan 2019

A tiered model of Internet access will be rolled out for the healthcare sector, should a virtual browser solution that is being tested prove effective, Minister for Health Gan Kim Yong said yesterday.

It could be the best solution for staff whose jobs require access to the Internet and the healthcare group's internal network to be provided on the same device, Mr Gan told Parliament.

But those whose jobs do not need Internet access will continue to remain out of it, he said, citing administrative staff doing back-end tasks.

Likewise, staff who can access the Web via a separate device like a mobile phone, he added.

Mr Gan made these points in a ministerial statement on the actions his ministry will take following the cyber attack on the database of Singapore's largest healthcare cluster, SingHealth.

Hackers stole the data of 1.5 million patients and the outpatient prescription details of 160,000 people, including those of Prime Minister Lee Hsien Loong.

The minister said a virtual browser will allow access to the Internet through strictly controlled and monitored client servers, and his ministry had been experimenting with the solution before the cyber attack.

"If we imagine loading a webpage or downloading a file from the Internet to be like receiving a letter, the client server is like a decontamination room, where the letter is opened and only a picture is taken and sent to the recipient," said Mr Gan.

This process, he added, is safer as malicious or hidden material is left behind.

"Our earlier technical trial conducted at the healthcare clusters has shown that a virtual browser is technically feasible," said Mr Gan.

The next step would be to run a pilot of this solution in different settings and healthcare roles to test its effectiveness, he added.

The pilot will begin in the first quarter of this year at the National University Health System. It will be evaluated over six months.

Mr Gan also gave an update on the ongoing review of the safeguards for the National Electronic Health Record (NEHR) system that was triggered by the SingHealth data breach.

The NEHR has been undergoing penetration tests and cyber security assessment by the Cyber Security Agency, GovTech and audit firm PricewaterhouseCoopers.

It will be tested further, he added.

Mr Gan also reiterated that given the importance of having safeguards in place, the Government will not require healthcare institutions to submit data to the NEHR until after the reviews are done.

Earlier, he described to the House his ministry's efforts in beefing up cyber security in the public healthcare sector.

One, on the organisational front, it will separate the roles of the chief information security officer and the director of cyber security governance at the organisation in charge of the IT systems in the healthcare sector.

This technology vendor is the Integrated Health Information Systems (IHiS), which will have its own director of cyber security governance.

Also, the ministry's chief information security officer will be backed by a dedicated team at the ministry and be in charge of cyber security for the healthcare sector.

Two, the healthcare sector will establish a more robust defence structure with three lines of defence.

The first involves staff who develop, deliver and operate IT systems; the second, those who oversee security strategy, risk management and compliance; and the third comprises independent checks.

Three, the sector will strive to improve staff's cyber security awareness and capacity, said Mr Gan, adding that IHiS will engage specialists to conduct realistic hands-on simulation training this year.

This will augment classroom simulation exercises for responders to security incidents.

"We agree that the 'people' element is foundational and critical to our cyber defences. Every user needs to be trained and equipped to understand the important role they play in cyber defence," said Mr Gan.

Lessons learnt will continue to be felt across all sectors
By Irene Tham, Senior Tech Correspondent, The Straits Times, 16 Jan 2019

The heavy fines and penalties meted out to two organisations and some of their staff members responsible for Singapore's worst data breach have concluded six months of intense scrutiny of the episode.

But the lessons learnt will continue to be felt across all sectors in Singapore.

The Republic's privacy watchdog, the Personal Data Protection Commission (PDPC), imposed its largest-ever fine of $750,000 on Integrated Health Information Systems (IHiS), SingHealth's IT vendor.

SingHealth, the target of the attack, did not get off scot-free either. Its fine of $250,000 was the second-largest ever.

Lapses by the two organisations led to the country's worst data breach in June last year, involving the NRIC numbers, names, addresses, gender, race and birth dates of 1.5 million SingHealth patients.

The attacker also exfiltrated the dispensed medication records of 160,000 patients, including that of Prime Minister Lee Hsien Loong.

The fines broke the previous record of $50,000 imposed on karaoke bar chain K Box over data leaks involving 317,000 customers in September 2014.

In dishing out the heavy fines, the PDPC has made it clear that there is value in personal data, even if it is basic information such as names and addresses.

In Parliament yesterday, Workers' Party MP Png Eng Huat (Hougang) pointed out a misunderstanding that was created in the aftermath of the attack when the Cyber Security Agency of Singapore described the stolen information as "basic demographic data" with "no strong commercial value".

Mr Png pointed out the risk of phishing and of scammers using the leaked data to trick people into revealing confidential information such as passwords.

This is why immediately after the SingHealth attack was made known to the public, the Monetary Authority of Singapore asked financial institutions to stop using NRIC numbers, addresses and dates of birth to verify the identity of customers.

They could instead use one-time passwords (OTPs).

Millions of SingPass users also use their NRIC number to log into their Central Provident Fund accounts, to file income tax returns and to apply for work passes, among other things.

An event in 2014 - when three of 1,560 leaked SingPass accounts were fraudulently used to make six work pass applications - show how far criminals can go with stolen demographic information.

Given the severity of the data leak, it is no wonder the PDPC said in its decision paper that IHiS could have received the maximum financial penalty of $1 million allowed under the Personal Data Protection Act if not for several mitigating factors.

These factors include IHiS' willingness to cooperate during investigations and the remedial actions it took to inform affected patients and shore up its defences following the breach.

Since last week's release of a report by the Committee of Inquiry probing the cyber attack, disciplinary measures have also been announced.

IHiS has fired two employees found to be negligent during the data breach, and demoted and redeployed its technology risk man. IHiS has also imposed "significant financial penalty" on five members of its senior management team, including chief executive officer Bruce Liang.

SingHealth's senior leadership team, including its group chief executive officer Ivy Ng, also voluntarily accepted an undisclosed financial penalty.

In the spirit of transparency, the financial penalties should have been disclosed to draw this chapter to a close.

Even as investigations end, Singapore will have to grapple with new cyber threats and the challenge of shoring up its defences.

As Minister-in-charge of Cyber Security S. Iswaran said in Parliament yesterday: "This was not the first instance where we were targeted, and it will not be the last."

***  SingHealth database hackers have targeted other systems here since at least 2017: Symantec
Whitefly is state-sponsored group that has been operating for at least two years, says Symantec
By Hariz Baharudin, The Straits Times, 7 Mar 2019

The hackers who breached the SingHealth database are from a group which has also targeted other organisations in Singapore for at least the past two years, said cyber security company Symantec.

The US-based company said the group is state-sponsored, but it did not identify the country.

It said in a statement yesterday: "Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017. It has targeted organisations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information."

The research was carried out independently by Symantec.

Singapore was hit by its worst cyber attack in June last year, when hackers went into the database of public healthcare cluster Sing-Health and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

A Committee of Inquiry (COI) set up to look into the attack recommended a raft of measures to beef up cyber security.

Responding to queries from The Straits Times on Whitefly, Symantec said: "Identifying who or what organisation is directing or funding that activity is not in the scope or focus of what we do.

"This level of attribution requires the substantial resources, time and access to information that is generally available only to law enforcement or government intelligence agencies."

In response to the information from Symantec, the Cyber Security Agency of Singapore said: "Cyber security companies regularly produce such reports based on their own intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents."

In the statement, Symantec said the group attacks its victims using custom malware and misleading files in phishing e-mails. These files, which run malicious programs in the victim's computers, are usually disguised as documents offering information on job openings or sent from another organisation in the same industry as the victim.

The COI heard last year that hackers used a phishing ploy to enter SingHealth's network and mount their attack.

Symantec said: "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts." PowerShell scripts are tools in computer systems that run commands to change its settings and automate tasks.

"Living off the land tactics" refer to stealthy cyber attack methods that use tools already in the system, which minimises the risk of an attack being blocked or discovered.

According to Symantec, the group launched targeted attacks against multiple organisations, most of which are based here. These include firms in the healthcare, media, telecommunications, and engineering sectors. But it stopped short of naming them.

Responding to ST's request for more details, Symantec said it does not disclose the identity of cyber attack victims and that, in most cases, victims are identified due to the evidence of the attacker's activity in their networks.

It added that the group's tight focus on a limited number of targets here means that it is "likely a small to medium-sized team".

Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database -10 Jan 2019

No comments:

Post a Comment