It’s not if, but when. Those in cybersecurity circles will understand this. As much as you want to prevent successful cybersecurity attacks, breaches will happen. How are you going to respond? How well did the Singapore government handle the massive SingHealth data breach?

The SingHealth data breach, announced yesterday in a multi-ministry press conference, involved personal information of 1.5 million patients, and among them 160K also had their dispensed medication records stolen.

This is the largest ever data breach in Singapore, and it is particularly sensitive considering that it happened in a healthcare organisation, which is also largest national healthcare group in Singapore.

Cybersecurity breaches happen. In this case, I’m a bit alarmed and disappointed about how the Singapore government dealt with the matter.

The first hint of trouble came on 4th July. According to the Ministry of Health’s press release, IHiS (our national Integrated Health Information System) observed anomalies in SingHealth’s IT databases, halted those activities, and put in place additional cybersecurity precautions. They kept mum on that embarrassing incident, until eventually 6 days later on 10th July, confirmed and informed the Ministry of Health, SingHealth, and the Cyber Security Agency of the cyberattack. It was another two days later, on 12th July, that SingHealth reported the matter to the police. This is all according to the Ministry of Health.

So by the Ministry of Health’s own version of the timeline, they knew of the cyberattack on 10th July. The public, however, was only informed yesterday, a whole 10 days later. Okay, this is definitely a remarkable improvement from the ministry’s handling of the Hepatitis C outbreak back in 2015, in which (according to the ministry) they became aware of the situation in late August 2015, but the public announcement only happened on 6 October.

The whole 10 days wait this time isn’t great at all. I can understand the need for the ministry to conduct their own investigations, and subsequently to figure out what to do. I can’t help to wonder if perhaps all the delay came about because the Ministry of Health felt it necessary to develop a website, SMS system, and provide updates through their mobile web app, before going public.

I also cannot understand why, in their press release, the Ministry of Health felt it pertinent to draw specific attention to the fact that Prime MInister Lee Hsien Loong’s personal particulars, as well as information on his dispensed medication, were also affected. Is this a vain attempt to tell us ordinary citizens that even the Prime Minister was not spared in this breach, and so perhaps we peons should just not kick a fuss about the whole episode?

How timely, if you think about it, that the Prime Minister also posted on Facebook to downplay the purported specific and repeated targeted attack on his data.

The biggest disappointment to me is the CSA chief executive David Koh’s remark that the stolen data has no strong commercial value. Excuse me, no strong commercial value? I think many others, not just me, will beg to disagree.

Let’s just remind ourselves again exactly what personal data was stolen:

Name

NRIC number

Address

Gender

Race

Date of birth

This will very clearly fall under the PDPC’s definition of personal data. I can see how much of a treasure trove this 1.5 million records will be to telemarketers. The 160K dispensed medication records also provide more information, including embarrassing medical conditions or long-term ailments the individuals may have.

This is the CEO of the national cybersecurity agency who says these personal data is just “basic demographic data”. This is not basic demographic data at all. Can Mr Koh give me his full name, NRIC, address, and date of birth, since they are just basic demographic data?

One should also remember that NRIC is an excellent “record identifier” that allows this set of records to be easily and reliably merged with data from other sources. Perhaps there is another data set that contains NRIC and some financial information (e.g. credit card numbers, or EZ-Link card numbers, etc), which on their own might not be easy to capitalise on. But now, SingHealth’s stolen data provides very useful missing bits: name, address, and date of birth.

Does CSA not understand that the stolen data already allows malicious users to get past some “telephone verification questions”? That just within the stolen data set one can possibly also determine family members? On this note, I think businesses need to rethink how they “verify” their customers. Some, like telcos, are quite happy to just ask for NRIC, address, and date of birth. All, very conveniently, provided in this SingHealth breach.

The government had a whole 10 days to figure out what to do, what to say. I’m somewhat alarmed at how the multi-ministry response seems focused on downplaying the data breach. Apart from learning to improve our cybersecurity from this incident, we should also learn how to improve our incident handling response.