Hackers target private vendor for Government’s OneService app

Hackers had deleted data linked to push notifications for the OneService app.
Hackers had deleted data linked to push notifications for the OneService app.ST PHOTO: KELVIN CHNG

SINGAPORE - The databases of a vendor linked to the Municipal Services Office’s (MSO) OneService app have been hacked but users were not affected.

MSO said in a statement on Monday (June 28) that no data that could lead to the identification of people, including case details, was stored in these databases.

There was also no anonymised data of users and no profiles of people in the hacked databases.

MSO was alerted on June 19 that the vendor Apptitude, which develops Web and mobile applications, was the subject of a cyber incident.

Apptitude is in charge of sending push notifications to the OneService app on behalf of MSO. The app itself allows the public to report municipal matters.

Hackers had completely deleted two of the vendor’s databases and demanded a ransom of 0.015 bitcoin (S$689) per database. Apptitude did not pay.

So far, MSO said it has not received reports that the data has been sold online, adding that it is monitoring the situation.

The first deleted database contained dummy data for testing, such as for templated push notification messages. The second one contained actual data on devices and past notification messages. 

Apptitude said that the information in the databases was not sensitive and was related to routine announcements.

These include regular Pollutant Standards Index (PSI) updates, heavy rain alerts, dengue zone alerts and lift status updates.

MSO added that other compromised data included that generated by tech firms Google and Apple for receiving push notifications, as well as push notification dates and times.

The OneService app’s system and its users were not affected, said the office, and there are no indications that the hackers got into its information technology systems or the vendor’s other systems.

It added that the affected databases cannot be used to identify app users or impersonate the office or OneService.

MSO said it worked with Apptitude to immediately switch off the push notification system and put in place additional measures to strengthen its security.

Apptitude has proposed a series of upgrades and enhancements as well. And as the deleted data was backed up, the company was able to recover it.

MSO added that it undertook further steps “and will continue to monitor its systems for potential threats and vulnerabilities”.

The incident is being investigated.

The office said that all personal information collected is secured and accessed only for authorised use or transactions.

The OneService app uses secure communications that encrypt data exchanged with MSO’s vendors, MSO said, adding that its systems undergo “stringent security scans to detect and mitigate risks”.

As for the immediate implications of the attack, Mr Jeffrey Kok from cyber-security firm CyberArk said that for now, the public should suffer no more than a minor inconvenience due to the app’s push notifications being down.

“However, the unanswered question is the intent of those behind this attack and what they were trying to achieve,” said Mr Kok, who is CyberArk’s vice-president of solution engineers for the Asia-Pacific and Japan.

He said that there is an ongoing trend for hackers to target software suppliers to gain access to organisations that use their services, as highlighted by the SolarWinds attack first reported in December last year.

“If commercial software used by government agencies can be compromised, then that allows an entry point for attackers into an otherwise hardened, well-secured organisation. So, this is a real concern,” said Mr Kok.

But in the latest case, the fact that the hack on MSO’s vendor did not result in the loss of confidential data or cause an app outage “should give the public assurance that (the Government) employed good security controls”, he said.