E-mail log-in details of govt staff put up for sale on Dark Web

Hackers stole them when officers used them for personal and non-official purposes

Group-IB revealed that it discovered the user log-ins and passwords from several government organisations on the dark Web over the last two years. PHOTO: REUTERS

E-mail log-in information of employees in several government agencies and educational institutions, as well as details of over 19,000 compromised payment cards from banks here, has been put up for sale online by hackers.

Russian cyber-security company Group-IB revealed on Tuesday that it discovered the user log-ins and passwords from several government organisations on the Dark Web over the past two years.

The compromised payment card information, which it said was valued at more than US$640,000 (S$863,000), was found last year.

According to a media statement from Group-IB, the organisations involved include the Government Technology Agency (GovTech), the Health and Education ministries, the police and the National University of Singapore.

A Smart Nation and Digital Government Group spokesman told The Straits Times that GovTech was alerted to the presence of e-mail credentials in illegal data banks in January this year.

The spokesman said: "These credentials comprise e-mail addresses and passwords provided by individuals. Around 50,000 of these are government e-mail addresses. They are either outdated or bogus addresses, except for 119 of them which are still being used.

"As an immediate precautionary measure, all officers with affected credentials have changed their passwords. There are no other information fields exposed apart from the e-mail address and password."

He added that the credentials were leaked not from government systems, but from the use of these government e-mail addresses for the officers' personal and non-official purposes. The Straits Times understands this covers online services, and could include sign-ups for events, marketing promotions or games like Pokemon Go.

"Officers have been reminded not to use government e-mail addresses for such purposes, as part of basic cyber hygiene," he said.

In response to Group-IB's statement, a police spokesman said that based on a review of the credentials, no user information and passwords used for gaining access into police systems were compromised. He said: "Only the user information and password of one employee from the Polwel Cooperative Society Limited were affected, and his account has been disabled. Polwel's computers are not linked to police's systems."

Group-IB's vice-president of international business Nicholas Palmer told ST that a majority of the 19,000 compromised payment card details included raw data like the card's number, cardholder name, expiry date and CVV code.

A Monetary Authority of Singapore (MAS) spokesman also said yesterday that its security vendors have reported a spike in data theft overseas. "MAS has been monitoring cyber intelligence, including those related to payment card security, as part of our surveillance," the spokesman said. "We note that security vendors have reported a rise in incidents of data theft internationally, including loss of card details from compromised merchants' point-of-sales systems and e-commerce websites."

The stolen information, according to Group-IB, was put up on the Dark Web - a part of the Internet where illegal activities are conducted and can be accessed only using special software.

Mr Dmitry Volkov, Group-IB's chief technology officer and head of threat intelligence, said the compromised credentials could be used for cyber crime and spying.

"Users' accounts from government resources are either sold in underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage," he said.

Group-IB also said that Singapore is "drawing more and more attention" from financially motivated hackers every year. According to its data, compared with 2017, the number of leaked cards went up last year by 56 per cent.

The discovery comes after a string of breaches and cyber attacks in the public and private sectors.

Last June, the personal data of 1.5 million SingHealth patients was stolen in the country's worst cyber attack. Other breaches include the online leak of personal information of 14,200 patients from the HIV Registry and improper handling of data belonging to more than 800,000 blood donors by a vendor that was discovered last week.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on March 22, 2019, with the headline E-mail log-in details of govt staff put up for sale on Dark Web. Subscribe