Two officials were dismissed and a general manager was fined for massive data theft on the health system in Singapore
The Integrated Health Information Systems of
Singapore (IHIS) fired two managers, in addition to fine five high-level
employees, including Bruce Liang, CEO of the company, for their responsibility
in the SingHealth
system massive data breach the last year, as reported by network security
specialists from the International Institute of Cyber Security.
It is estimated that the incident affected
about 1.5 million people, nearly one-third of the total population in
Singapore. According to specialists in network
security, the attackers accessed to personal details such as:
- Patients’
full names - Dates
of birth - NRIC
(National Registration Identity Card) personal identification numbers - Ethnic
and racial details
In addition, details concerning the health of
over 150k patients (such as diagnoses or treatments) were also stolen; the
people affected by this incident include Lee Hsien Loong, Prime Minister of
Singapore.
The Singapore Ministries of Health and Communications
defined this incident as “a deliberate, well-defined and planned cyberattack
campaign”, although subsequent investigations by network security experts confirmed
that a human error was fundamental for this incident to materialize: “while
SingHealth implements the necessary technical controls, two high-level
employees turned out to be negligent in their work”.
The researchers criticized the poor server
configuration of Lum Yuan Woh, the leader of the Citrix team, as they
considered that “unnecessary risks were introduced to the system”. On the other
hand, Ernest Tan, SingHealth Incident Response Team Manager, was criticized for
“ignoring the due process of security incident notification”.
Another five senior employees were also
reported as responsible for data theft, but their mistakes were not considered
serious enough to warrant dismissal. Four of these employees were fined, while
the remaining employee was transferred to a position with lower
responsibilities.
According to the experts, SingHealth employees
committed three fundamental errors:
- They
were unable to install software patches on their systems, allowing attackers to
exploit an Office vulnerability and gain access to one of the employees’ PC - The
SingHealth team took at least a year to identify the data breach. Hackers
accessed the system for the first time in August 2017 and, over a year, managed
to distribute malware and infect other computers on the network without being
detected - Employees
used weak passwords (p@ssw0rd, for example). This is one of the
most serious errors that a sysadmin can commit, because the simple
configuration of a strong password can prevent multiple attacks
Unfortunately these problems are not unique to
the SingHealth team; human errors are one of the main causes of data breaches,
and all organizations must adopt the relevant policies to mitigate the risks
arising from these flaws.