Two staff members were fired and five senior management executives fined due to negligence that resulted in the biggest Singapore data breach
Last year's SingHealth data breach, which resulted in 1.5 million patients' personal records disclosure, resulted in fines that were issued to five senior management figures, including the CEO Bruce Liang and termination of work contracts for two staff members of Integrated Health Information Systems. IHiS is an entity accountable for the development and management of IT systems in public healthcare, which is responsible for managing 46 institutions
IHiS also reported that implemented 18 cybersecurity measures that are being applied to improve the prevention of such incidents, as well as improve the response effectivity when data breaches occur:
The Committee of Inquiry (COI) proceedings into the SingHealth cyberattack have highlighted important learnings about the threat actors in the evolving cybersecurity landscape, as well as many critical areas of improvement for IHiS. We are determined to strengthen our organisational structure and processes, increase oversight on compliance, and close the gap between policy and practice.
Team Lead in the Citrix Team and a Security Incident Response Manager, the two fired employees, were accused of negligence and failure to perform actions that contributed to the scale of the data breach. Additionally, while Citrix Team lead possessed the technical knowledge, he lacked in attitude towards security, failed to manage the affected servers correctly and did not escalate the issue to the CSA, despite the warnings from his staff.
The incident was entirely avoidable
The Ministry of Communications and Information published a 454-page report on 10 of January 2019 which outlined 16 recommendations regarding the attack. It was based on the testimonies of Singapore's Cyber Security Agency (CSA), and the involved organizations – SingHealth, IHiS, and others.
The incident was attributed to the vulnerability in the network that hackers managed to exploit. Additionally, SingHealth's network and databases were reported to have several weaknesses and misconfiguration. More precisely, the flaw was located in Citrix servers and SCM database connectivity, which was used for several administrative tools deemed to be unnecessary. According to the report, if these applications would have been configured correctly, the entire incident could have been avoided.
Finally, the research also found a coding vulnerability in the SCM application that explained why hackers managed to access the database so easy. Furthermore, the admin-level access was not protected by two-factor authentication.
Fines were issued to both SingHealth and IHiS
The Personal Data Protection Commission (PDPC), the central authority that governs Personal Data Protection Act in Singapore, issued a fine of S$750,000 for IHiS and S$250,000 will have to be paid by SingHealth within 30 days. According to the official media release, PDPC states that IHiS had “failed to take adequate security measures to protect the personal data in its possession.”
SingHealth's personnel was accused of failing to understand the severity of the consequences regarding the handling of personal information that was was collected from the customers. Also, according to PDPC, SingHealth was unfamiliar with incident response processes and was “overly dependent on IHiS.”
PDPC stated that these fines are the “highest ever” due to the severity of the breach:
These financial penalties are the highest ever imposed by PDPC to-date. PDPC took into account the fact that the data breach was the largest breach that Singapore has ever experienced, as well as the sensitive and confidential nature of the patients’ data.
SingHealth's data breach was the biggest in Singapore's history, the hackers managed to access names, addresses, dates of births, NRIC numbers, and other sensitive data that affected 1.5 million patients. Additionally, medical records of 160,000 people were leaked as well, including those of Prime Minister Lee Hsien Loong.