An investigation into the July data breach incident at Singapore’s largest healthcare provider has revealed that local administrators made several critical mistakes that led to the breach, including the use of weak passwords and unpatched software.

According to the initial press release announcing the breach, “It was not the work of casual hackers or criminal gangs. The stolen data included name, NRIC (National Registration Identity Card) number, address, gender, race and date of birth. Investigators said the records were not tampered with or deleted. However, experts warned that the data could end up on the dark web, where criminals could offer to buy it to conduct extortion attempts.

A team set up to probe the breach – which compromised 1.5 million patient records, including the Singapore Prime Minister’s – has now revealed how hackers were able to infiltrate the SingHealth network and perform their actions.

Investigators noted that the breach resembled an advanced persistent threat (APT) attack and involved sophisticated tools, including custom malware designed specifically to penetrate SingHealth’s infrastructure. Hackers took advantage of unpatched endpoints and other vulnerable solutions employed by the healthcare unit, and also capitalized on the use of an extremely weak administrator “p@ssword.”

“This provided the hackers access into SingHealth’s network as early as August 2017, distributing malware and infecting other workstations after the initial breach,” ZDNet quotes an investigator as saying.

Furthermore, administrators failed to notify senior management (including SingHealth’s CIO) until almost a week later. All in all, SingHealth alone is now to blame for the breach. It remains to be seen what penalties will ensue under the country’s data protection laws, but it seems clear SingHealth will not walk away unscathed from this massive blunder.