Personal data of 1.5 million patients were stolen in the largest data breach ever in Singapore’s history
Latest security breach where hackers were able to overcome, Singapore’s much vaunted cybersecurity defenses and compromise the personal data of over a quarter of the Southeast Asian nation’s population. Is a grim reminder that even the best in the breed of security can be hacked!!
Personal data of 1.5 million patients were stolen in the largest data breach ever in Singapore’s history. Singapore recently scored 0.925 in the cybersecurity ranking by the International Telecommunication Union, a United Nations agency, which means as a nation deemed to have the best cyber security practices. The incident has dented nations reputation and questioned the cyber security preparedness. The incident is also a grim reminder that your security is as strong as your weakest link which most often factor to “HUMAN ELEMENT”.
The names, identity numbers, address, gender, race and date of birth of patients who visited SingHealth clinics between May 1, 2015 and July 4, 2018 were compromised. Even the personal data and prescription information of the Prime Minister, Lee Hsien Loong, was exposed.
The preliminary investigation indicates that malware downloaded through a compromised website or a phishing email at a front-end workstation led to the breach. The malware allowed the hackers to use account credentials – user names and passwords – to gain access to the SingHealth database. The breach highlighted the fact that the best technology cannot stop a breach if a user unwittingly lets in a hacker.
The breach hampers Singapore’s reputation as a cybersecurity leader and shows that user awareness remains a top, continuing concern in businesses and organizations worldwide. A Committee of Inquiry has been formed to investigate the SingHealth breach.
The incident once again highlights importance of user awareness and actions, guarding against such attacks could be tricky as the malware comes from communication from people users know – or think they know.
CISO’ and security leaders must also go beyond conventional awareness sessions and training methods to bring home the message. The jury is already out on RoI (Return on Investment) on multiple security sessions and resources spent on training employees. But precaution is always better than cure, organizations must not only conduct regular Phishing exercise to ensure employees are aware of the luring threat and what is found a lot more beneficial in recent studies is if security organization can couple these training with personal life impact wherein employee are made aware how these controls can help family and friends in real world the RoI is much higher and feedback is much more positive along with participation.
The challenge is paramount to ensure awareness level is high among employee in these fast-moving workforce and CISO’ must find newer and innovative ways to connect with a larger population. All the options shall be explored along with traditional methods to stress the message. Gamification, security activities and national events like Cyber Security Month (as celebrated in across the world in October) help to bring home the message. Security community must stress on enhancing user awareness with a larger message to safeguard ourselves both in office and home against these cyber threats.
Vice President - Global Information Security Operations, Duff & Phelps