The largest data breach in Singapore to date: Singapore Health Services Pte. Ltd. & Ors.  SGPDPC 3
By Jonathan Liang (Ella Cheong LLC)
In what was described as “the worst breach of personal data in Singapore’s history”, the personal data of 1,495,364 patients were accessed and copied from Singapore Health Services Pte Ltd.’s (“SingHealth”) electronic medical record database (“SCM Database”) and exfiltrated to overseas servers.
Based on forensic investigations, the attacker first infected a user’s workstation through what was likely to be an email phishing attack. The attacker then used customised malware to gain remote access to other workstations. Through these workstations, the attacker managed to obtain access to 2 dormant user accounts with administrative privileges. From there, the attacker accessed servers located at Singapore General Hospital (“SGH”), giving the attacker a direct route to SingHealth’s SCM Database. Exploiting an inherent coding vulnerability in the SCM client application, the attacker retrieved login credentials to access the SCM Database. From 27 June 2018 to 4 July 2018, the attacker ran numerous bulk queries on the SCM Database from the compromised servers at SGH, resulting in the unauthorised disclosure and transfer of patient’s personal data, including names, NRIC numbers, addresses, gender, race, and dates of birth. Of the 1,495,364 patients affected, 159,000 of them also had their outpatient dispensed medication records accessed and copied.
In view of the severity of the breach, the Personal Data Protection Commission (“PDPC”) imposed a financial penalty of S$250,000 against SingHealth and S$750,000 against SingHealth’s data intermediary, Integrated Health Information Systems Pte Ltd (“IHiS”). If not for several mitigating factors, one of which is discussed below, the Deputy Commissioner would have imposed the maximum penalty allowed under the Personal Data Protection Act (“PDPA”) (i.e. S$1,000,000) against IHiS and a “significantly higher quantum” against SingHealth.
Here are 5 things to note:
1. Organisations should ensure adequate resources are allocated to protect personal data
The PDPC found that SingHealth’s “organisational arrangement failed to meet the reasonable standards expected of an organisation of SingHealth’s size” even though the breach could be attributed to the failure of SingHealth’s Cluster Information Security Officer (“CISO”) to comply with SingHealth’s standard operating procedures (“SOP”).
Although SingHealth is a “cluster” of 11 public healthcare institutions, with a collective size of around 30,000 employees, 400-odd IT systems and 350-500 IT projects, SingHealth only designated 1 staff (i.e. the CISO) to oversee a portfolio specific to security. Further, since all Singapore public healthcare institutions’ IT functions and capabilities must be centralised in IHiS, the CISO had to rely solely on IHiS for their oversight on cybersecurity incidents.
As such, the PDPC found that the CISO “did not have the resources or the technical and IT security expertise for him to properly fulfil his functions” and that his failure to comply with the SOP was “emblematic of the inadequacy of the security arrangements”.
2. As digitization increases, organisations should pay more attention to technical measures
The PDPC found that the attacker exploited several insufficiencies with regard to IHiS’s technical measures:
a) Though the public healthcare sector policy (“IT-SPS”) mandated administrator accounts to have 15-character passwords which should be changed every 3 to 6 months, the hacked accounts had “an easily deduced password (“P@ssw0rd”) with only eight characters”. The password had also not been changed since 2012.
b) The attacker managed to obtain the password of another local administrator account which was stored on one of SGH’s servers in clear text, despite the fact that under the IT-SPS, passwords should be encrypted, prompted or hashed.
c) The attacker gained access to dormant administrator accounts, which should have been detected and disabled.
d) The connection between the SGH server and the SCM Database should have been protected and the servers should have been placed behind a firewall.
e) Vulnerabilities in the IT systems which have been identified pursuant to an audit should have been addressed and verified promptly.
The PDPC also suggested that implementing database access monitoring for possible unauthorised access or disclosure, suspicious bulk querying behaviour, or queries from illegitimate client applications, may go some way towards showing that reasonable security measures have been put in place, especially if the organisation holds a large amount of personal data.
3. Organisations should ensure that their employees understand their data protection SOPs
The PDPC noted that when the Security Incident Response Manager (“Manager”) of IHiS was alerted to multiple failed login attempts to the SCM Database, the Manager did not escalate the matter or take further action because he was “labouring under the misapprehension that a cybersecurity incident should only be escalated when it is ‘confirmed’”. The PDPC thus found that IHiS did not take adequate steps to ensure that its staff fully understood and internalised IHiS’ reporting policies.
4. Organisations may rely on the expertise of software service providers
Although IHiS did not install a Microsoft Office patch on the workstation that the attacker was able to gain access to, the PDPC was willing to accept that if Microsoft did not categorise the patch as “Critical”, it would be reasonable for IHiS not to apply the patch outside of its usual patching cycle.
Similarly, the PDPC found it reasonable for IHiS to assume that the developer of the SCM application, having been informed of the coding vulnerabilities, would have issued a patch as part of its regular technical support if it had verified that there was indeed a coding vulnerability. Therefore, it was reasonable for IHiS not to have remedied the coding vulnerability.
5. The skill and sophistication of the attacker can be a mitigating factor
The PDPC took into account the fact that the breach was carried out by a “skilled and sophisticated” attacker, demonstrating a level of discipline and planning that were “characteristic of an APT [advanced persistent threat] actor”. In particular, the attacker took active steps to remain undetected by conducting lateral movement and reconnaissance, using highly customised malware that could not be detected by standard anti-malware solutions, and employing numerous customised and modified open-source scripts and tools. The PDPC noted that both SingHealth and IHiS were “victims” of a skilled threat actor who used “advanced methods that overcame enterprise security measures”.
As strikingly demonstrated by this major case, personal data breaches can attract severe consequences. Businesses are therefore strongly encouraged to review their data protection processes and policies, to ensure that reasonable measures are being taken to safeguard the personal data under their possession and/or control, especially in this digital age.
Meanwhile, if you have any questions on the above, or would like to know how your business can exploit its intellectual assets in Singapore, please contact Mr. Jonathan Liang () or your usual contact. For similar updates, please visit www.ellacheong.asia.