Probe report on SingHealth data breach points to basic failings

Probe report on SingHealth data breach points to basic failings

PUBLISHED ONJanuary 10, 2019 1:30 AMByIrene Tham

Staff who fell prey to phishing attacks. Weak administrator passwords. Not applying a patch that could have stopped the hacking. And an IT cyber-security team that could not even recognise a security incident.

These were among the basic failings that opened the door to Singapore's worst data breach, according to the public report by a high-level panel tasked to probe last June's cyber attack on SingHealth.

And such lax cyber-security practices were no match for the sophisticated cyber attackers, believed to be state-linked. In fact, the Singapore authorities contacted foreign law enforcement agencies for information on the users behind servers linked to the attack.

The 453-page report also offers 16 recommendations - seven of them classified as "priority" - to shore up defences at organisations responsible for critical information infrastructure (CII) systems.

Top-secret report on SingHealth attack submitted to Minister-in-charge of Cyber Security

Top-secret report on SingHealth attack submitted to Minister-in-charge of Cyber Security

Among other things, CII owners including SingHealth must set rules, to be reviewed at least once a year, to protect their systems against cyber-security threats.

All administrators must use two-factor authentication, and the use of passphrases instead of passwords should be considered. The industry and the Government should also share threat intelligence.

One key recommendation is that SingHealth appoint its own cyber-security "risk man" rather than rely solely on its IT management vendor, Integrated Health Information Systems (IHiS), for such oversight.

At present, all the domain expertise and resources to detect and manage cyber-security risks lie with IHiS, which the Committee of Inquiry (COI) said is "difficult to sustain" in the long run.

The report also provides a blow-by-blow account of the events that led to the cyber attack.

Despite the attackers being sophisticated, the COI said, the data breach could have been averted if not for "a blanket of middle-management mistakes" at IHiS, Singapore's central IT agency for the healthcare sector.

For instance, a middle manager of cyber security at IHiS had misconceptions of what constitutes a cyber-security incident, and delayed reporting the network intrusions for fear that additional pressure would be put on him and his team.

Also, the key technology "risk man" at IHiS - cluster information security officer Wee Jia Huo - displayed "an alarming lack of concern" when it was clear that a critical system had been potentially breached.

These lapses contributed to successful data exfiltration from SingHealth's electronic medical records system from June 27 to July 4 last year. Hackers stole the personal data of 1.5 million patients and the outpatient prescription details of 160,000 people, including Prime Minister Lee Hsien Loong.

"The attacker had a clear goal in mind, namely, the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients," the report said.

But it also noted: "The attacker was stealthy but not silent, and signs of the attack were observed by IHiS' staff. Had IHiS' staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives."

Organisational culture was to blame for some of the missteps.

"One must not lose sight of the fact that the treatment of cyber-security issues and incidents by staff and middle management is very much shaped by organisational culture," wrote the COI, chaired by retired judge Richard Magnus.

This public report follows the submission of a fuller "top secret" report - detailing the attacker's identity and methods, and SingHealth's system vulnerabilities - to Minister-in-charge of Cyber Security S. Iswaran on Dec 31 last year. The fuller report is not published for national security reasons.

Responding to the public report, Professor Ivy Ng, SingHealth group chief executive officer, said: "Since the incident, we have reinforced the culture of personal ownership of cyber defence so that every staff is empowered to identify and report cyber-security threats."

Mr Bruce Liang, IHiS chief executive officer, said: "We will... do our utmost to drive change throughout our organisation, with patient well-being as our priority."

This article was first published in The Straits Times. Permission required for reproduction

SingHealth PDPA (Personal Data Protection Act)

homepage

trending

trending

We will involve Singaporeans in creating and implementing solutions, says PM Wong as new Cabinet sworn in

We will involve Singaporeans in creating and implementing solutions, says PM Wong as new Cabinet sworn in

'Short-term, more conservative view': Local businesses struggle to come to terms with US tariffs

'Harvard refugee': Chinese students hunker down as US blocks foreign enrolment

$4.6m fine: 2 contractors taken to task for rigging tender bids of upgrading works at PA community clubs

Trump administration blocks Harvard from enrolling foreign students, threatens broader crackdown

LTA impounds 78 non-compliant AMDs to address rising number of fire incidents

Youth who performed lewd act on cat pleads guilty

Cool paint, clean power: These are the sustainable innovations that Temasek Foundation are backing for $2m

Chen Shucheng, Ya Hui, Felicia Chin and more recall their significant Star Awards moments

Murder mystery pop-up inspired by K-drama Nine Puzzles lets you take a shot at playing detective

Hundreds of roof tiles collapse from China’s historic drum tower, a year after extensive repairs

Bak kut teh or laksa? Uniqlo's latest drop features Singapore food-inspired collection

Tay Ying holds 'guo da li' ceremony, jokes she's 'sold'

Singapore

Singapore

Singapore has never stayed neutral and does take positions on trade with US and China: Gan Kim Yong

'Mixed emotions': Ministers Chan Chun Sing, Desmond Lee and Chee Hong Tat reflect on their Cabinet movements

US and China embassies in Singapore clash online over South China Sea; MFA cautions against stirring local sentiment

Man who sexually assaulted stepdaughter despite wife's warning gets jail, caning

Daily roundup: Murder mystery pop-up inspired by K-drama Nine Puzzles lets you take a shot at playing detective — and other top stories today

Daily roundup: New FairPrice Finest outlet featuring food hall opens in Sembawang — and other top stories today

Jail for man who devised bogus wine investment scheme, pocketed $12.67m of investors' funds

PM Lawrence Wong's Cabinet reshuffle 'cautious' and with succession in mind: Analysts

Singapore keeps 2025 growth forecast at 0-2%, sees slight boost from US-China truce

Daily roundup: Cat A COE premiums remain above $100k despite slight dip in second bidding for May 2025 — and other top stories today

Entertainment

Entertainment

Tom Cruise sends BTS' Jin on secret-agent challenges in variety show

Little Monsters flock to Maxwell Food Centre table that Lady Gaga dined at

ICA reviewing PR status of Ian Fang, Lev Panfilov following convictions for sexual offences

Ayumi Hamasaki, CL, Show Lo: Singapore concert calendar for 2025

David Duchovny is married

US singer Chris Brown granted $8.6 million bail for world tour by UK court

Miley Cyrus unwilling to remove 'very large' polyp on vocal cord in case it changes her voice

Scandal-ridden Mickey Huang and actress wife Summer Meng said to have divorced

David Beckham says receiving a knighthood would be an 'unbelievable honour'

Violet Affleck was stuck in a hotel room arguing with her mother Jennifer Garner during the California wildfires

Lifestyle

Lifestyle

Kopitiam offering 60-cent hot kopi-o and teh-o from June to mark SG60

Jurassic World, inflatable playgrounds and more: Family-friendly events and activities this June holiday

We check out Hiap Joo Bakery's new vending machine selling its famous banana cake

Singapore's beef kway teow ranks 18th in best stir-fried dishes list, Indonesia's sambal goreng takes crown

Cat A COE premiums remain above $100k despite slight dip in second bidding for May 2025

New theme park to open in Japan's Okinawa this July offering scenic treks, hot air balloon rides and more

We head to China to check out how Singapore's top-selling car brand intends to transform the automotive industry

Back with a bang: Burgs ends 2-year hiatus with new standalone restaurant at Arab Street

Furry capabara EVs, self-driving mini bar, and more - here are the wackiest cars we saw at Auto Shanghai 2025

'You asked, we listened': Don Don Donki brings back plastic bags

Digicult

Digicult

World's best Dota 2 teams to compete for $1m prize pool in Singapore in November

A $500 wake-up call: How the Samsung Galaxy Ring made me realise my stress

Monster Hunter Wilds producer explains how game has remained unique and fresh over 20 years

Google Pixel 9a: The best AI-centric phone under $800 in 2025?

Western intelligence agencies warn spyware threat targeting Taiwan, Tibetan rights advocates

Taiwan says China using generative AI to ramp up disinformation and 'divide' the island

Russian court fines Telegram app for refusal to remove anti-government content, TASS reports

One Beijing man's quest to keep cooking — and connecting with Americans — on camera

Nintendo Switch 2 to launch in June with US$449.99 price tag

Games in April: RPGs, racing and Ronaldo in a fighting game

Money

Money

Wall Street equity indexes close higher after US-China tariff truce

Giant deal: Malaysian company to acquire Cold Storage and Giant supermarket chains in Singapore

Newly MOP-ed 3-room HDB flat in Bedok sold for record $730k

Ang Mo Kio's most expensive 5-room HDB flat sold for $1.5m, here's why

US climate pullback threatens planned debt-for-nature deals

This rare HDB maisonette in Queenstown just set a $1.51m record: Here's why

HDB BTO July 2025 review: Locations, resale, values, amenities and more

Selling your condo? This overlooked factor could quietly undercut your selling price

Using a personal loan for a used car purchase: What you need to know

6 prime HDB shophouses for sale at $73m in Singapore: A look inside the rare portfolio

Latest

Latest

4 dead, 17 missing as heavy rains soak southern China, triggering landslides

US and Iran to hold nuclear talks amid clashing red lines

Haiti calls for urgent regional gang-fighting support as US shies off funding

South Korea's defence ministry says no talks held with US on troop withdrawal

Russia says it downs at least 159 Ukrainian drones, fires Iskander missile

Japan minister wants rice on shelves for under 3,000 yen, Jiji reports

European leaders to ask EU for easier expulsion of foreign criminals

North Korea launches probe into accident during warship's launch

Covid shots should target newer strains of JN.1 variant in 2025-26 campaign, US FDA advisers say

In Case You Missed It

In Case You Missed It

No joke: Bangkok condo resident releases snakes in corridor to protest neighbour's noisy dog

'Only one chance at life': Chinese student, 18, misses exam to save classmate suffering heart attack

Baby suspected to have been eaten by monitor lizard in Thailand, only head found

'Dog will return soon': GE2025 independent candidate Jeremy Tan wants to contest again

Ong Ye Kung leads PAP team to victory while elder brother Howard Ong loses in Australia's election on the same day

Tan Kiat How weighs in on viral video of Gan Kim Yong being ignored by passers-by in Punggol

PSP's Tan Cheng Bock turns 85; SDP's Paul Tambyah joins celebration at Teban Gardens

PM Wong urges voters to 'choose leaders of good character' in PAP's first party political broadcast

It is 'important for Singapore's democracy' that WP wins more seats, says Pritam in election broadcast

This website is best viewed using the latest versions of web browsers.