Personal data of 2,400 Mindef, SAF staff may have been leaked

Two vendors - ST Logistics and HMI Institute - hit by malware attacks in unrelated incidents

The personal data of 2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) staff may have been leaked through e-mail phishing by malicious malware.

The data leak occurred at a privately owned vendor of SAF and Mindef, ST Logistics, which is contracted to provide third-party logistics services such as eMart retail and equipping services for the SAF.

The data included the full names and NRIC numbers, and a combination of contact numbers, e-mail or residential addresses, Mindef said in a statement yesterday.

The breach was a result of e-mail phishing activities sent to its employees' e-mail accounts, ST Logistics said yesterday. No details were given on when the phishing had occurred or for how long.

In another unrelated incident affecting another SAF vendor, a healthcare training provider's server containing the data of 120,000 individuals, including 98,000 SAF servicemen, was found to have been infected by ransomware on Dec 4.

The training provider, HMI Institute of Health Sciences, hired a cyber security firm to conduct investigations and concluded that the incident was a random and opportunistic attack on the server and there was no evidence that the data was copied or exported.

There is a low likelihood of a data leak, the company said in a statement yesterday.

HMI Institute is a private provider of healthcare training and has been contracted by the SAF since 2016.

The data in the affected server included personal information of students and applicants, such as full names, NRIC numbers, dates of birth, home addresses and e-mail addresses.

The 98,000 SAF servicemen affected had attended cardio pulmonary resuscitation and automated external defibrillation courses conducted by the institute.

Both vendors apologised for the malware incidents.

ST Logistics chief executive Loganathan Ramasamy said: "ST Logistics is committed to ensure that all personal data in our possession is treated with high standards of integrity. We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected."

HMI Institute said that it had informed the people affected directly but decided to make an announcement as well, to alert all its students and applicants to be vigilant.

Its executive director, Mr Tee Soo Kong, said that the institute had put in place additional fortifications in their systems.

Both incidents have been reported to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team.

Mindef and SAF are working with both vendors to investigate the impact of the malware incidents and the potential disclosure of personal data.

"Mindef and the SAF take a serious view on the secure handling of personal data by our vendors.

"The security of their IT systems is an important factor that will be taken into account in the award of contracts," the ministry said.

Brigadier-General Mark Tan, the defence cyber chief, said: "The malware incidents affected the IT systems of our vendors.

"Although Mindef and SAF's systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel's personal data.

"We will review the cyber security standards of our vendors to ensure that they are able to protect our personnel's personal data and information."

Affected Mindef and SAF staff are being notified, Mindef added.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Sunday Times on December 22, 2019, with the headline Personal data of 2,400 Mindef, SAF staff may have been leaked. Subscribe