Personal data of 850 national servicemen and Mindef staff stolen in targeted cyber attack

Security experts said the attack could have been state sponsored.
Security experts said the attack could have been state sponsored.PHOTO: ST FILE

SINGAPORE - The personal details of 850 national servicemen and staff at the Ministry of Defence (Mindef) were stolen in what Mindef has described as a"targeted and carefully planned" cyber attack.

The breach of Mindef's I-net system was discovered in early February. The I-net system provides Internet access to national servicemen and employees for their personal communications and Internet surfing via thousands of dedicated computer terminals in Mindef, as well as in Singapore Armed Forces (SAF) camps and premises. No classified military information is stored on I-net.

Mindef said this was the first time that the I-net system was breached, resulting in the loss of the 850 personnel's NRIC numbers, telephone numbers and birth dates. The attack was executed remotely over the Internet.

Mindef said in a media briefing on Tuesday (Feb 28): "The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems."

Mr David Koh, Mindef's deputy secretary of technology, said: "The attack did not come from camps or internal systems. Neither was it the work of causal hackers or criminal gangs."

Security experts said the attack could have been state sponsored.

Mr Aloysius Cheang, executive vice-president of global computing security association Cloud Security Alliance, said: "It is common for states to sponsor such attacks to access other countries' infrastructure, and build a portfolio of information that can be used to their advantage."

Upon detecting the attack, Mindef disconnected the affected server from I-net, but it allowed I-net to continue to provide Internet access. Mr Koh said the hacker exploited vulnerabilities in the server and the vulnerabilities have been plugged.

He added: "Mindef adopts a multilayer approach to security. The attacker only breached the outer layer but did not go deeper into classified systems." Classified and military data, and internal e-mail applications reside in a different system that is not connected to the Internet.

Asked why the breach was not announced earlier, Mindef said it had to conduct an investigation before going public with the cyber attack.

Mindef said it conducted detailed forensic investigations into the entire I-net system to determine the extent of the breach. All other systems within Mindef and SAF are also being investigated.

While the outcome of the investigations is pending, Mindef said it will contact all affected personnel within the week. They will be advised to change their passwords and report any unusual activity related to the use of their personal information.

Mindef has also informed Singapore's Cyber Security Agency and the Government Technology Agency of Singapore to investigate other government systems. No breaches have been detected so far, Mindef said.

PwC Singapore's Asia Pacific Financial Crime and Cyber Leader Vincent Loy said that Mindef's policy to have separate networks for classified and non-classified information limited the impact of the attack.