SAF sorry for recruit data leak

IC numbers and photos of graduating batch published online by mistake; info removed

The identity card numbers and photos of a batch of Singapore Armed Forces (SAF) recruits were published online by mistake last Saturday before the authorities realised the error and removed the information the next day.

In a statement, Basic Military Training Centre (BMTC) commander Desmond Yeo apologised for the blunder, adding that no other personal data was released.

He did not specify how many recruits were affected, but there are typically about 3,000 enlistees in one cohort.

The training centre had uploaded pictures taken at the recruits' graduation ceremony to Facebook. But it also included a link that displayed the soldiers' identity card numbers together with their portraits.

Colonel Yeo said that BMTC "recognises that making available our recruits' portraits, labelled together with their NRIC numbers on a platform accessible to the general public, was an oversight".

He added: "We apologise for the mistake."

CORRECTIVE ACTION

BMTC immediately removed the link to the portraits by noon the following day, when the oversight was realised. We are reviewing our procedures to prevent a similar recurrence.

BASIC MILITARY TRAINING CENTRE (BMTC) COMMANDER DESMOND YEO

VALUABLE DATA

This stolen information is often used in further attacks... For example, hackers may use the identity card data to lure unsuspecting victims into personalised attack campaigns, obtaining more information like banking details, which can then be used in malicious ways.

MR NICK SAVVIDES, a security advocate for Asia-Pacific and Japan at cyber security software firm Symantec.

Col Yeo explained that portraits of recruits are usually uploaded online so that they can share them with their families and friends. A recruit's photo is usually manually labelled with his platoon, section, and bed number.

But for the latest graduating cohort, the labelling was automated by scanning the recruits' SAF identity cards so as to speed up the process. This process labelled the photos by the identity card numbers.

"BMTC immediately removed the link to the portraits by noon the following day, when the oversight was realised. We are reviewing our procedures to prevent a similar recurrence," Col Yeo said.

Last month, the Ministry of Defence disclosed that the personal details of 850 national servicemen and its staff had been stolen in what it described as a "targeted and carefully planned" cyber attack.

Identity card numbers are highly valuable to cyber criminals, said Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at cyber security software firm Symantec.

This is because such personal details - known as "non-perishable information" - do not expire and cannot be changed, unlike other types of data such as credit card numbers.

That is why stolen credit card details can fetch between 10 US cents and US$20 (S$28) on the black market, while "non-perishable information" costs an average of US$50, Mr Savvides added.

"This stolen information is often used in further attacks... For example, hackers may use the identity card data to lure unsuspecting victims into personalised attack campaigns, obtaining more information like banking details, which can then be used in malicious ways," he said.

A version of this article appeared in the print edition of The Straits Times on March 17, 2017, with the headline 'SAF sorry for recruit data leak'. Print Edition | Subscribe