Cyber attack on Mindef: Take steps to secure online accounts, experts urge

They advise against using birth date, NRIC or phone numbers as password

A stream of binary coding, text or computer processor instructions, is seen displayed on a laptop computer screen in this photograph illustration. PHOTO: BLOOMBERG

If you are using your NRIC and telephone numbers or birth date as a password to secure online accounts, change it immediately.

This is the advice of the Ministry of Defence (Mindef) and security experts following a cyber attack discovered early last month, which resulted in the loss of the personal details of 850 Mindef employees and national servicemen.

"Personal information is highly valuable to hackers since this can be used in further attacks or sold for monetary value," said Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at cyber security software firm Symantec.

For instance, the stolen data could be used to access e-government services such as Central Provident Fund account balances, as one's NRIC number is the user name in many cases.

Hackers may also disguise themselves as the local authorities in e-mails embedded with malicious links or documents to trick users into downloading malware or divulging sensitive data, Mr Savvides said.

"Users need to be wary of follow- on attacks that may be crafted using the information gathered," he added.

Mindef revealed yesterday that the unknown hackers exploited a vulnerability in its I-net system, resulting in the loss of the NRIC numbers, telephone numbers and birth dates of the 850 personnel.

The I-net system provides Internet access on thousands of dedicated terminals to national servicemen and other employees working in Mindef's offices and Singapore Armed Forces premises.

Mr Alex Lei, regional director for South-east Asia at security systems specialist FireEye, said that targeted attacks are the "new reality" for governments around the world.

"Targeted attacks often reflect geopolitical tensions, and South-east Asia is no stranger to these tensions," said Mr Lei.

Mr Sanjay Aurora, Asia-Pacific managing director of cyber security firm Darktrace, said the incident highlights the importance of using advanced systems.

"It is a cyber arms race, and artificial intelligence technology that automatically identifies and takes action against genuine threats will be instrumental in safeguarding critical information and infrastructure," he said.

Mr Dan Yock Hau, director of the Cyber Security Agency of Singapore's National Cyber Incident Response Centre, concurred.

"We have to take steps to build greater security into software design and strengthen our systems to ensure resilience to cyber attacks," he said.

He also noted that trained cyber security professionals will play an important role to keep Singapore systems safe.

Public relations consultant Khairul Sufiyan uses his NRIC number and birth date as a password for some online accounts. "I better change them quickly," said the 30-year-old, who was worried he could be one of the 850 affected.


September 2014

The personal data of 317,000 customers of karaoke bar chain K Box was exposed on the Internet owing to lax security measures. Access to K Box's computers was protected by weak passwords made up of only one letter of the alphabet. K Box was fined $50,000 by Singapore's privacy watchdog as a result of the breach, which exposed customers' names, addresses, and mobile phone and identity card numbers.

June 2014

The Government discovered that 1,560 SingPass accounts were stolen. Three tampered accounts were fraudulently used to make applications for work passes. The use of easy-to-crack passwords was believed to be the culprit. SingPass is an authentication system that secures Singapore residents' access to 340 e-government services, including those for filing income tax returns and checking Central Provident Fund account balances.

January 2017

The Personal Data Protection Commission fined PropNex Realty $10,000 after the latter inadvertently caused the personal data of 1,765 people to be leaked online. A system flaw caused a PDF document listing one item or all of the personal information - name, mobile number, residential address and e-mail address - of the 1,765 individuals to be freely available online for months.

March 2015

The personal data of more than 1,900 pupils from Henry Park Primary School was leaked when an Excel spreadsheet containing the children's particulars was mistakenly sent out to about 1,200 parents as part of an update about a school event. The file contained the names and birth certificate numbers of all 1,900 pupils in the school, and the names, telephone numbers and e-mail addresses of their parents.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on March 01, 2017, with the headline Cyber attack on Mindef: Take steps to secure online accounts, experts urge. Subscribe