SingHealth cyber breach

Shock, anger and worry about stolen data being misused

Names, IC numbers, addresses, gender, race and dates of birth were obtained in Singapore’s largest data breach from 1.5 million SingHealth patients, who expressed shock and anger.
Names, IC numbers, addresses, gender, race and dates of birth were obtained in Singapore’s largest data breach from 1.5 million SingHealth patients, who expressed shock and anger.ST PHOTO: ARIFFIN JAMAR

Victims of Singapore's largest data breach have expressed shock and anger, saying they are concerned that their personal information could be misused since it has fallen into wrong hands.

The personal data of 1.5 million patients of SingHealth was hacked last month with details such as names, IC numbers, addresses, gender, race and dates of birth compromised.

"It is very upsetting and the last thing anyone would want is for their personal information to be leaked out," said Nanyang Polytechnic adjunct lecturer Navin Nambiar, 37, whose 66-year-old mother had her personal and prescription information stolen. "You would think that our government databases would be secure... from such events."

The loss of IC numbers in particular worried a number of the affected users.

"These days, you can do much with your IC number. This creates a safety issue for the people affected," said pre-school teacher Koshala Devi, 26. "It is scary to know that my details are now potentially in the hands of strangers."

Cyber-security experts have warned that victims of the breach remain at risk even in the future, as the personal data which was compromised could be used in other targeted attacks later on.

"One of the biggest threats from a breach such as this is the possibility of targeted phishing attacks at a later date," said Mr Chris Boyd, lead intelligence analyst of security software firm Malwarebytes, referring to scams where users are tricked into revealing confidential data.

Cyber-security experts urged victims to keep an eye on financial transactions and bank statements, and to be wary of requests for other personal information that might come their way.

Personal healthcare information can be worth a lot more than financial data on the Dark Web or black market, said Ms Joanne Wong, senior regional director for Asia-Pacific and Japan at security intelligence company LogRhythm.

"It is not surprising that SingHealth would be targeted as they are the largest healthcare network in the country," she said.

"Information obtained can also be used to create fake identities to buy medical equipment or drugs. Espionage is also another possible motive, as hackers could use the data to interfere in international politics or affairs."

Among the victims were 160,000 outpatients whose prescription and medication information was breached in the attack.

"This information can be sold in the black market, but there are also other possibilities," said Mr Ondrej Kubovic, a security awareness specialist from cyber-security company ESET. "For example, high-profile records might be cherry-picked and sold or misused to extort or defame public figures."

Prime Minister Lee Hsien Loong's personal particulars were especially targeted in what Cyber Security Agency chief executive David Koh described as a deliberate, targeted and well-planned cyber attack.

• Additional reporting by Deepanraj Ganesan

 
A version of this article appeared in the print edition of The Straits Times on July 21, 2018, with the headline 'Shock, anger and worry about stolen data being misused'. Print Edition | Subscribe