[BreachExchange] Personal data of 2,400 MINDEF, SAF personnel potentially affected; 2 vendors hit by malware

Tue Dec 24 10:07:02 EST 2019

https://www.channelnewsasia.com/news/singapore/st-logistics-mindef-saf-2400-personal-data-breach-hmi-institute-12202786

SINGAPORE: The personal data of 2,400 Ministry of Defence (MINDEF) and
Singapore Armed Forces (SAF) personnel may be affected by a potential
ST Logistics personal data breach.

ST Logistics said in a media release on Saturday (Dec 21) that the
potential breach was a result of a recent series of email phishing
activities involving malicious malware sent to its employees’ email
accounts.

“This data, contained in working files residing in affected
workstations, may have been exfiltrated,” it added.

MINDEF said in a statement that preliminary investigations indicate
that the personal data could have been leaked.

The affected systems contained full names and NRIC numbers, and a
combination of contact numbers, email addresses or residential
addresses.

ST Logistics said that it had carried out “extensive forensic
investigations” into these activities through its own cyber security
team and with the support of external cyber security experts.

The company also added that it informed the Personal Data Protection
Commission (PDPC) and the Singapore Computer Emergency Response Team
(SingCERT) of the "possible breach" of personal data on Dec 16.

The company operates several logistics services, including an eMart
retail and equipping servicefor MINDEF and SAF personnel since 1999.

“In some instances, to ensure that these services are carried out
correctly, some personal data is utilised,” it said.

ST Logistics chief executive officer Loganathan Ramasamy said that the
company is committed to ensuring that all personal data in the
company’s possession is treated with “high standards of integrity”.

“We apologise sincerely for this incident and we owe this to our
customers and stakeholders to ensure their personal data is robustly
protected,” he added.

DATA OF 98,000 PERSONNEL IN AFFECTED HMI INSTITUTE SERVER

In a separate data incident, the HMI Institute of Health Sciences said
that it discovered a file server to be encrypted by ransomware on Dec
4.

The affected server, which primarily contained backup information, was
immediately taken offline and isolated from the Internet and internal
network, HMI Institute said in a media advisory on Saturday.

The institute added that its learning management system was not
impacted and that daily operations were “unaffected and continued as
usual”.

Preliminary investigations indicated that the likelihood of a data
leak to external parties was low, MINDEF said, adding that the
affected system contained personal data of 120,000 individuals.

This included the full names and NRIC numbers of about 98,000 MINDEF
and SAF personnel who previously attended a cardiopulmonary
resuscitation and automated external defibrillation (AED) course.

The HMI Institute has been contracted by the SAF to conduct CPR and
AED training for MINDEF and SAF personnel since 2016.

Data containing full names, NRIC numbers, contact numbers, email
addresses, dates of birth and residential addresses of other HMI
Institute customers was also affected.

A notification received by a full-time national serviceman on Dec 21, 2019.

Upon discovery of the incident, HMI Institute said it immediately
engaged a cybersecurity firm to conduct investigations.

The institute said the findings so far show that the likelihood of a
data leak was low and that the incident was a “random and
opportunistic attack” on the file server.

There was also no evidence that the information had been copied or
exported, the institute added.

“We take this incident very seriously and we deeply apologise to the
students and applicants affected for the inconvenience caused,” said
HMI Institute executive director Mr Tee Soo Kong.

Additional measures to fortify the institute’s systems against
increasingly sophisticated cyber intrusions have also been put in
place, he added.

HMI Institute said it has reported the incident to the PDPC and SingCert.

It is also currently completing the implementation of additional IT
security enhancement initiatives including the establishment of a
secured wide-area network and an enhanced cybersecurity protection
suite.

Affected students and applicants have been informed via multiple
communication channels including emails, letters and face-to-face
meetings.

Students and applicants may email or call the institute should they
have further enquiries regarding the incident, said the institute.

SECURITY OF SYSTEMS AN "IMPORTANT FACTOR"

MINDEF and the SAF said they take a serious view on the secure
handling of personal data by their vendors.

“The security of their IT systems is an important factor that will be
taken into account in the award of contracts,” MINDEF said.

MINDEF added that it is also engaging other vendors who hold
information of MINDEF and SAF personnel to strengthen the security of
their IT systems.

The PDPC is also conducting investigations into both cases, MINDEF said.

In response to the malware incidents, Defence Cyber Chief
Brigadier-General Mark Tan said: “The malware incidents affected the
IT systems of our vendors. Although MINDEF/SAF’s systems and
operations were not affected, the malware incidents in these vendor
companies may have compromised the confidentiality of our personnel’s
personal data."

He added that MINDEF and the SAF will review the cybersecurity
standards of their vendors to ensure that they are able to protect
their personnel’s personal data and information.

Affected personnel will be notified from Saturday, said MINDEF.