Singapore’s worst cyber attack to-date

July 24, 2018

You might have already read about it. A multi-ministry press conference was held in the afternoon of 20 July 2018 to announce it. 

1.5 million patients’ non-medical personal data was taken, including their name, address, gender, race, date of birth, and National Registration Identity Card number. Of these patients, about 160,000, including Singapore’s Prime Minister Lee Hsien Loong, also had outpatient dispensed medicines information taken.

According to a joint press release by the Ministry of Communications and Information and Ministry of Health, the attack was deliberate, targeted and carefully planned, and not the work of casual hackers or criminal gangs. The attackers specifically and repeatedly targeted the Prime Minister’s personal particulars and outpatient medication data.

No patient records were amended or deleted, and no other patient records involving diagnosis, test results or doctors’ notes, were breached. A scan of all government systems was also performed, which revealed no evidence of compromise.

Cybersecurity experts interviewed by local media said that the attack was likely to be state-organised or sponsored, and that only a few countries such as China, Russia and the United States, would have been able to carry out such a sophisticated attack.

What’s next? A Committee of Inquiry (COI) has been convened to inquire into the events and contributory factors leading to the cyber attack. Among other things, the COI will look at incident response, and recommend measures to better manage and secure public sector IT systems against similar cyber attacks.

The COI is to submit a report of its proceedings, findings and recommendations to the Minister-in-Charge of Cybersecurity by 31 December 2018. This is not unexpected, given the severity of the incident and urgent need for a holistic re-examination of all government systems based on the COI’s findings. Additional pressure will come from having to pause the roll-out of all new government IT systems while the government reviews its cybersecurity measures.