Passwords and usernames of staff from MOH, MOE and other agencies stolen and put up for sale by hackers

Group-IB revealed that it discovered the user log-ins and passwords from several government organisations on the dark Web over the last two years. PHOTO: REUTERS

SINGAPORE - E-mail log-in information of employees in several government agencies and educational institutions, as well as details of more than 19,000 compromised payment cards from banks here, have been put up for sale online by hackers.

Russian cyber-security company Group-IB revealed on Tuesday (March 19) that it discovered the user log-ins and passwords from several government organisations on the dark Web over the last two years. The compromised payment card information, which it said was valued at more than $600,000, was found last year.

According to a press release from Group-IB, the organisations involved include the Government Technology Agency (GovTech), Ministry of Education, Ministry of Health and the Singapore Police Force, as well as the National University of Singapore.

A Smart Nation and Digital Government Group spokesman told The Straits Times that GovTech was alerted to the presence of e-mail credentials in illegal data banks in January this year.

The spokesman said: "These credentials comprise e-mail addresses and passwords provided by individuals. Around 50,000 of these are government e-mail addresses. They are either outdated or bogus addresses, except for 119 of them which are still being used.

"As an immediate precautionary measure, all officers with affected credentials have changed their passwords. There are no other information fields exposed apart from the e-mail address and password."

He added that the credentials were leaked not from government systems, but from the use of these government e-mail addresses for the officers' personal and non-official purposes.

The Straits Times understands this covers online services, and could include sign-ups for events, marketing promotions or games like Pokemon Go.

"Officers have been reminded not to use government e-mail addresses for such purposes, as part of basic cyber hygiene," he said.

In response to Group-IB's release, a police spokesman said that based on a review of the credentials, no user information and passwords used for gaining access into police systems were compromised.

He said: "Only the user information and password of one employee from the POLWEL Co-operative Society Limited was affected, and his account has been disabled. POLWEL's computers are not linked to Police's systems."

Group-IB's Vice-President of International Business Nicholas Palmer told ST a majority of the 19,000 compromised payment card details included raw data like the card's number, cardholder name, expiry date and CVV code.

A Monetary Authority of Singapore (MAS) spokesman also said on Thursday that its security vendors have reported a spike in data theft overseas.

"MAS has been monitoring cyber intelligence, including those related to payment card security, as part of our surveillance," the spokesman said. "We note that security vendors have reported a rise in incidents of data theft internationally, including loss of card details from compromised merchants' Point-of-Sales systems and e-commerce websites."

The stolen information, according to Group-IB, was put up on the dark web - a part of the Internet where illegal activities are conducted and can only be accessed using special software.

Mr Dmitry Volkov, the chief technology officer and head of threat intelligence at Group-IB, said the compromised credentials could be used for cyber crime and spying.

"Users' accounts from government resources are either sold in underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage," he said.

"Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets."

Group-IB also said that Singapore is "drawing more and more attention" from financially motivated hackers every year. According to its data, compared to 2017, the number of leaked cards went up last year by 56 per cent.

The discovery comes after a string of breaches and cyber attacks in the public and private sectors.

Last June, the personal data of 1.5 million patients of healthcare cluster SingHealth, including Prime Minister Lee Hsien Loong, was stolen in the country's worst cyber attack.

Other breaches included the illegal access of 72 HealthHub accounts last October, the online leak of personal information of 14,200 patients from the HIV Registry and improper handling of data belonging to more than 800,000 blood donors by a vendor last week.

Earlier this month, The Straits Times reported that insurance company AIA was checking all its systems after one of its Web portals, which contained the personal information of more than 200 people, was found to be publicly accessible.

Join ST's WhatsApp Channel and get the latest news and must-reads.