It was a brazen breach that proved nightmares can come true.
Around 1.5 million SingHealth patients saw their non-medical personal data stolen, along with 160,000 dispensed medicine records, Ministry of Health and the Ministry of Communications and Information said last Friday.
SingHealth is Singapore’s largest group of healthcare providers and oversees public hospitals, national specialty centers and a vast network of polyclinics. It also stores a treasure trove of medical data on most citizens.
Cybercriminals zeroed in on this treasure. They stole names, identity card numbers, addresses, genders, races and dates of birth, as well as medicine details. No data was amended or deleted.
When they used the data, they did not discriminate. Even Prime Minister Lee Hsien Loong and Emeritus Senior Minister Goh Chok Tong were victims.
Reports show that this was not a simple feat. The Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) said it was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers or criminal gangs.
“The attack continues to underscore that security is NOT something you can afford to overlook,” Lim May-Ann, Managing Director, TRPC said.
It is clear that prevention alone is not enough.
“Organizations should bear in mind that in addition to robust technical cybersecurity measures, organizations also need to be able to respond quickly and effectively to any cybersecurity incidents,” Jeremy Tan, Director, CMS Holborn Asia said.
In SingHealth’s case, the measures helped—to a degree.
“I don't think the government is NOT unaware of the security needs; the intrusion was discovered by one of the check mechanisms already in place, so we should be reassured that the checks DO work -- but the challenge is now how to tweak these checks so that we detect intrusions or cyber sniffing earlier, before the data is compromised,” May-Ann said.
More importantly, the attack highlighted the change in tack by cybercriminals. They are now monetizing data.
“The data stolen in this breach is an identity thief's goldmine. It's a startling reminder to all Singaporeans that there is no such thing as 'cyber attackers would never care about little old me' – once your data is scooped up in a cybersecurity blunder of this sort, you simply can't control where it will go next. Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cybercrooks,” Paul Ducklin, Senior Technologist at Sophos said.
Along with ransomware, these attacks are creating a new, broader front in the security war as firms become data-centric. The dangers can be far worse in the future.
“The fact that health records were taken should be cause for alarm, given the nerve gases and liquid assassinations we have seen recently; are they looking for a bio vulnerability/ looking to develop a targeted bioweapon?” May-Ann questioned.
The attack is a rude awakening to the dangers of digitalization. But while it warrants a relook at current security practices, it should not stop digital transformation journeys.
“Cyber incidents should not stop companies from embracing digital but instead, should compel companies to start thinking about digital risks mitigation strategies such as having robust cyber security systems and procedures in place and to have an incident response team that can respond effectively to cybersecurity incidents and other digital risks,” Tan said.
Firms need to understand how well the law can help them when data is lost or stolen. The breach highlights the need for more cooperation and collaboration among the various cybercrime organizations.
“The existing laws already have extra-territorial reach, but the practical issues around the enforcement of such laws outside of the jurisdiction remains. In order to have effective enforcement for cross-border cyber incidents there needs to be greater cooperation amongst nation states not just from a threat intelligence perspective but also from a reciprocal enforcement perspective,” Tan added.
More importantly, firms and their employees need to change our attitude toward data security. Clearly, total control is going to be difficult in a data-sharing economy. So, they need to take a proactive approach to monitor data usage behaviors.
"Whether this was a lone hacker who got lucky, a well-oiled cybercrime gang or a state-sponsored attack team won't get your personal data back, and it won't change the fact that you can't control who gets it next. Keep your own eyes open for any attempt to abuse your personal data in the future," Ducklin said.