SINGAPORE - The personal data of 2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) personnel may have been leaked through e-mail phishing by malicious malware.
The data leak occurred at a privately owned vendor of SAF and Mindef, ST Logistics, which is contracted to provide third-party logistics services such as eMart retail and equipping services for the SAF. The data included the full names and NRIC numbers, and a combination of contact numbers, e-mail addresses or residential addresses, Mindef said in a statement on Saturday (Dec 21).
The breach was a result of e-mail phishing activities sent to its employees' e-mail accounts, ST Logistics said on Saturday. No details were given on when the phishing had occurred or for how long.
In another unrelated incident affecting another SAF vendor, a healthcare training provider's server containing the data of 120,000 individuals including 98,000 SAF servicemen, was found to have been infected by ransomware on Dec 4.
The training provider, HMI Institute of Health Sciences, hired a cyber-security firm to conduct investigations and concluded that the incident was a random and opportunistic attack on the server and there was no evidence that the data was copied or exported. There is a low likelihood of a data leak, the company said in a statement on Saturday.
HMI Institute is a private provider of healthcare training and has been contracted by the SAF since 2016.
The data in the affected server included personal information of students and applicants, such as full names, NRIC numbers, dates of birth, home addresses and e-mail addresses. The 98,000 SAF servicemen affected had attended cardiopulmonary resuscitation and automated external defibrillation courses conducted by the institute.
Both vendors apologised for the malware incidents.
"ST Logistics is committed to ensure that all personal data in our possession is treated with high standards of integrity. We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected," said ST Logistics chief executive officer Loganathan Ramasamy.
HMI Institute of Health Sciences said it had informed the people affected directly but decided to make an announcement as well, to alert all its students and applicants to be vigilant.
The firm's executive director, Mr Tee Soo Kong, said they had put in place additional fortifications in their systems.
Both incidents have been reported to the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team.
The PDPC is investigating both incidents.
Mindef and SAF are working with both vendors to investigate the impact of the malware incidents and the potential disclosure of personal data.
"Mindef and the SAF take a serious view on the secure handling of personal data by our vendors. The security of their IT systems is an important factor that will be taken into account in the award of contracts," the ministry said.
Defence Cyber Chief Brigadier-General Mark Tan said: "The malware incidents affected the IT systems of our vendors. Although Mindef/SAF's systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel's personal data. We will review the cyber-security standards of our vendors to ensure that they are able to protect our personnel's personal data and information."
Affected Mindef and SAF personnel are being notified from Saturday, Mindef added.