Singapore's Ministry of Defense Data BreachedResult of Phishing Attacks against Two Security Service Providers
The data leak occurred at ST Logistics, a privately-owned vendor of the Singapore Armed Forces and the Ministry of Defense. It was contracted to provide third-party logistics services such as eMart retail and equipping services for the armed forces. In a similar malware attack, the data leak occurred at HMI Institute of Health Sciences, which is contracted by the SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training for MINDEF/SAF personnel since 2016.
The data included the full names and National Registration Identity Card numbers, and a combination of contact numbers, e-mail or residential addresses, the statement said.
It stated that MINDEF and SAF are working with the two vendors to investigate the impact and the potential disclosure of personal data. For the HMI Institute incident, their affected system contained personal data of 120,000 individuals.
For the ST Logistics incident, their affected systems contained full names and NRIC numbers, and a combination of contact numbers, email addresses or residential addresses of about 2,400 MINDEF/SAF personnel.
ST Logistics said in a statement that the breach was a result of e-mail phishing activities sent to its employees' e-mail accounts. However, no details were given on when it had occurred or for how long.
HMI Institute in its report to PDPC said it had discovered that a file server was encrypted by ransomware on December 4, but investigations so far show no evidence of data being copied or exported.
HMI Institute said that it had informed the people affected by the breach directly but decided to make an announcement as well, to alert all its students and applicants to be vigilant.
According to the MINDEF statement, the preliminary investigations indicate that the personal data could have been leaked, but the likelihood of data leak to external parties is low.
Defense Cyber Chief Brigadier-General Mark Tan, MINDEF, said, "The malware incidents affected the IT systems of our vendors. Although MINDEF/SAF's systems and operations were not affected, they may have compromised the confidentiality of our personnel's personal data. We will review the cybersecurity standards of our vendors to ensure they can protect our personnel's personal data and information."
Dealing with the Data
According to a Straitstimes report, ST Logistics chief executive Loganathan Ramasamy said: "ST Logistics is committed to ensuring that all personal data in our possession is treated with high standards of integrity. We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected."
Its executive director, Mr Tee Soo Kong, said the institute had put in place additional fortifications in their systems.
ST Logistics is contracted to provide logistics services such as eMart retail and equipping services since 1999. Both vendors were provided with personal data of MINDEF/SAF personnel needed for the provision of their operations.
Singapore's new cybersecurity law passed by the Parliament early this year mandates that owners of critical information and infrastructure, local or foreign, must report all cybersecurity incidents to the Cyber Security Agency. Penalties for noncompliance are up to $100,000 or two years' imprisonment or both.
This is the mandate issued by Singapore’s Personal Data Protection Act and MINDEF in its statement said, companies are required under the Personal Data Protection Act to protect the personal data of its clients, in addition to specific requirements they are expected to uphold in the contracts they sign. Both HMI Institute and ST Logistics have reported the incidents to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team. PDPC is conducting investigations in both cases.
According to Tan, MINDEF and the SAF take a serious view on the secure handling of personal data by vendors. The security of their IT systems is an important factor that will be taken into account in the award of contracts.
MINDEF/SAF is also engaging other vendors who hold information of MINDEF/SAF personnel to strengthen the security of their IT systems.
This is not the first time that Singapore Ministry of Defense’s systems have been affected. In late 2017, a breach exposed National Registration Identity Card numbers, telephone numbers and dates of birth of about 850 servicemen and ministry employees. The defense ministry then planned to establish a Defense Cyber Organization to build a resilient cyber ecosystem. The pool of 2,600 new defenders, to be assembled over the next decade, will be from Singapore Armed Forces and National Servicemen.
Singapore-based Ken Soh, CIO and director of security strategies at BHL Global, adds: "Reporting breaches alone will not help; also, the plan should be not to focus on traditional detection tools and technologies or build defenders.
“As the nature of cyberattacks has evolved, making critical infrastructure sectors the target, defining the roles of cyber warriors is vital, as is training in OT and IT security; and tackling third party risks is critical,” Soh says.