COI on SingHealth cyber attack

Cyber attack response delayed by disorganised interaction

Mr Vivek Chudgar said that due to ad hoc communication, several details were missed and several dots were not connected.
Mr Vivek Chudgar said that due to ad hoc communication, several details were missed and several dots were not connected.

Details of attack were lost due to use of different platforms like WhatsApp, e-mail

To bolster their cyber defences, organisations should put in place a centralised incident management and tracking system that logs all incidents during a breach.

This was the recommendation made to a high-level Committee of Inquiry (COI) looking into June's SingHealth data breach. It found that disorganised communication contributed to a delay in mitigating actions during Singapore's worst cyber attack.

The use of different platforms like WhatsApp, Tigerconnect and e-mail to communicate also meant that valuable details about the attack were lost, a cyber-security expert told the panel.

Mr Vivek Chudgar, senior director of Mandiant Consulting, a unit of cyber-security company FireEye, said yesterday: "It is because that communication was ad hoc that several details were missed and several dots were not connected."

Hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, during the attack.

The lack of a centralised communication platform meant that staff communicated in different ways.

In previous hearings, the COI heard from witnesses who said that, in addition to instant messaging platforms and e-mail, staff communicated important information pertaining to the attack in person and via telephone calls.

 
 
 
 

Mr Chudgar said: "Such an ad hoc approach leads to the loss of certain details that might not have been captured."

He added that communication problems also meant that important action items were not tracked and followed up on.

The COI has heard that several employees of Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, discovered signs of a breach occurring in June, though no action was taken until the following month.

Organising the updates from staff would have gone "a long way" in helping with the response, said Mr Chudgar.

He added that an organisation the size of IHiS needs to have a way to capture and reference this information easily, as it would help with investigations and prevent similar incidents.

But Mr Chudgar, who was involved in the investigations of several cyber attacks - including 2016's Bangladesh Bank robbery where hackers fraudulently withdrew close to US$1 billion (S$1.4 billion) - commended the activity logs that IHiS had already put in place. "Frequently, when we investigate, such logs are missing," he said.

 
A version of this article appeared in the print edition of The Straits Times on November 14, 2018, with the headline 'Cyber attack response delayed by disorganised interaction'. Print Edition | Subscribe