Singapore Red Cross website hacked, over 4,200 affected

The names, contact numbers, e-mail addresses and declared blood types of potential blood donors were among the information that was compromised.
The names, contact numbers, e-mail addresses and declared blood types of potential blood donors were among the information that was compromised.PHOTO: SINGAPORE RED CROSS

Personal data such as phone number and blood type exposed; privacy watchdog probing breach

Singapore's privacy watchdog is investigating a breach of the Singapore Red Cross website which compromised the personal data of more than 4,200 people, including their full names, contact numbers and e-mail addresses.

In a statement yesterday, the Personal Data Protection Commission said it was notified of the breach, which was detected on May 8.

The Singapore Red Cross said "unauthorised access" was made to the part of its website that allows people interested in donating blood to sign up online.

Hackers had also gained access to potential donors' declared blood type, preferred date and time for an appointment as well as preferred location for donating blood.

The non-profit organisation did not say in its statement yesterday if any data was stolen by the hackers.

The breach was reported on May 8 to the police and the privacy watchdog, as well as to the Health Sciences Authority (HSA).

ST understands that the people affected were informed only yesterday, via e-mail and SMS. The Singapore Red Cross did so hours before releasing its statement.

Asked why they were not alerted earlier, a spokesman for the organisation told The Straits Times that after it alerted the authorities, it launched an internal investigation to "ascertain the extent to which our stakeholders could be affected". The spokesman added: "We wanted to have at least this information before we informed the affected individuals."

In its statement, the Singapore Red Cross said there were measures in place to guard against unauthorised access of the website.

But an internal investigation showed that "a weak administrator password could have left the website vulnerable to the unauthorised access".

The website was under maintenance when ST checked yesterday. However, there were links to sites such as giveblood.sg for would-be blood donors.

 
 
 
 

"As a precaution, we have disconnected the website from Internet access and replaced it with a temporary webpage with links to relevant websites. The website will be reinstated only when all security checks have been completed," said the Singapore Red Cross.

Forensic investigations will be carried out by external consultants to determine the factors that led to the breach.

The findings, as well as measures to be taken, will be reported to the council which governs the Singapore Red Cross.

The organisation said it will use the report, as well as the ad-vice of its IT advisory panel and consultants, to strengthen its IT security measures.

Singapore Red Cross secretary-general and chief executive officer Benjamin William said: "Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data and mitigate any future risks."

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said the data that was compromised was personally identifiable information. Such data may be used for a wide number of nefarious purposes, such as identity fraud and impersonation.

"The data that has been compromised is pretty sensitive data, and it is especially dangerous because there are so many things that those who trade in such data can do with it," he said.

This is the latest in a string of data breaches affecting health-related organisations in Singapore.

In March, it was reported that an HSA vendor had mishandled the data of more than 800,000 blood donors earlier this year. The information, which included names and NRIC numbers, was later said to have been accessed illegally and possibly extracted.

In January, the Ministry of Health revealed that confidential information of 14,200 HIV-positive individuals was allegedly leaked online by Mikhy Farrera-Brochez, an American who had been living in Singapore.

Singapore suffered its worst cyber attack in June last year. The SingHealth data breach resulted in the data of more than 1.5 million patients being stolen, including that of Prime Minister Lee Hsien Loong.

A version of this article appeared in the print edition of The Straits Times on May 17, 2019, with the headline 'S'pore Red Cross website hacked, over 4,200 affected'. Print Edition | Subscribe