16/03/2019

Spate of MOH's slip-ups

Passwords and usernames of staff from MOH, MOE and other agencies stolen and put up for sale by hackers
Group-IB revealed that it discovered the user log-ins and passwords from several government organisations on the dark Web over the last two years. PHOTO: REUTERS

E-mail log-in information of employees in several government agencies & educational institutions, as well as details of more than 19,000 compromised payment cards from banks here, have been put up for sale online by hackers.

Russian cyber-security company Group-IB revealed on Tuesday (Mar 19) that it discovered the user log-ins and passwords from several government organisations on the dark Web over the last two years. The compromised payment card information, which it said was valued at more than $600,000, was found last year.

According to a press release from Group-IB, the organisations involved include the Government Technology Agency (GovTech), Ministry of Education, Ministry of Health and the Singapore Police Force, as well as the National University of Singapore.

read more

GovTech, MOH among govt agencies with compromised logins on sale online

CREDENTIALS from several government agencies and educational institutions, as well as more than 19,000 compromised payment cards from banks in Singapore, have been put up for sale online by hackers.

Russian cybersecurity company Group-IB revealed on Tuesday that it discovered the user log-ins and passwords from several government organisations on the dark Web over the last two years. The compromised payment card information, which it said was valued at more than S$600,000, was found last year.

According to a press release from Group-IB, the organisations involved include the Government Technology Agency (GovTech), Ministry of Education, Ministry of Health & the Singapore Police Force, as well as the National University of S'pore.

read more

Govt's data management under review following CHAS error, blood donor data leak

The Government's management of data is being reviewed in light of cases of information mishandling by IT vendors.

More details on the review will be shared when ready, said the Smart Nation & Digital Government Group (SNDGG) on Friday (Mar 22), in response to queries by Channel NewsAsia.

“The Smart Nation and Digital Government Office is currently reviewing the Government’s management of data, and will share more when ready," it said.

read more

Spike in measles cases since start of year

The number of measles cases since the start of the year is more than 3 times that of the same period last year, but no deaths have been reported, said the Ministry of Health (MOH).

In the first 11 weeks of the year, there were 38 cases of measles, compared with 11 cases last year.

It is also the highest number recorded for the first 11-week period since 2015.

read more

Data leak: Several blood donor's information that was mishandled, now accessed illegally and possibly extracted

The vendor of Singapore's Health Sciences Authority (HSA), Secur Solutions Group (SSG) was accused of mishandling the data of more than 800000 blood donors in 2019. On Saturday the same group said that stated that the information, including names and NRIC numbers, went online was accessed illegally and probably extracted.

Personal Data Protection Commission (PDPC) informed HSA after they were alerted to the database vulnerability on March 13. Then the HSA contacted the SSF to remove the unsecured database from the Internet and then secured the information.

Initial investigations conducted by HAS claimed that other than the cyber experts, who identified the vulnerability, no other unauthorised person had accessed the online data.

read more

Blood donor data leak: HSA's vendor says information that went online was accessed illegally and possibly extracted


Secur Solutions Group (SSG), a vendor of the Health Sciences Authority (HSA) that mishandled the data of more than 800,000 blood donors earlier this year, on Saturday (Mar 30) said that information was accessed illegally and possibly extracted.

The information, which included names and NRIC numbers, was only secured on Mar 13 after a cybersecurity expert discovered the vulnerability and alerted authorities. Preliminary investigations by HSA showed that other than the expert who flagged the vulnerability, no other unauthorised person had accessed the database online.

Now SSG has said that its server was also accessed suspiciously from several other IP addresses.

read more

Personal data of 808,000 blood donors compromised for nine weeks; HSA lodges police report
The personal data of more than 808,000 blood donors ended up on the internet in January by a vendor of the Health Sciences Authority (HSA)

The personal data of more than 808,000 blood donors ended up on the Internet in January — and was left there for nine weeks — by a vendor of the Health Sciences Authority (HSA), the authorities said on Friday (March 15).

The data was taken down two days ago and secured, after a cyber-security expert discovered the vulnerability and alerted the Personal Data Protection Commission.

HSA chief executive Mimi Choong said she was “deeply sorry” for the vendor's lapse and assured donors that the centralised blood bank system is not affected.

related: IT slip-up at HSA: Blood donors concerned, but will not stop giving blood

read more

Insecure Database Exposes 800,000 Singapore Blood Donors

The personal information of 808,201 blood donors who registered to donate since 1986 in Singapore was exposed after the database which contained it was left unprotected on an Internet-facing server for more than two months.

According to The Straits Times who first reported the data leak incident, Singapore's Health Sciences Authority (HSA) received the initial report on March 13 from the security expert who discovered the unsecured database.

The HSA said in a notification sent to the affected donors that Secur Solutions Group Pte Ltd (SSG), an HSA vendor, was the company which failed to appropriately protect the database against access over the internet:
SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors: Name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight. The database contained no other sensitive, medical or contact information.
read more

Personal data of over 800,000 blood donors put online by vendor: HSA
The private information of more than 800,000 blood donors in Singapore was put online without authorisation by a Health Sciences Authority (HSA) vendor

The database contained information such as name, NRIC, gender, blood type and dates of blood donations and did not contain other sensitive, medical or contact information, the HSA said in a statement on Friday (15 March).

The authority said preliminary findings show that a cyber security expert discovered the vulnerability and alerted the Personal Data Protection Commission on Wednesday.

HSA then contacted the vendor, Secur Solutions Group (SSG), to disable access to the database, and made a police report.

read more

Doctor at heart of HIV data leak suspended from practising for 9 months
Ler Teck Siang (foreground) leaving the High Court during his appeal against his conviction and sentence for cheating offences. (Photo: Gaya Chandramohan)

The doctor at the centre of the HIV data leak in Singapore could face further disciplinary action after his medical registration was suspended for nine months, the Singapore Medical Council (SMC) announced on Tuesday (Mar 12).

Ler Teck Siang was found guilty in September last year for helping his partner Mikhy Farrera Brochez deceive the Ministry of Manpower (MOM) about Brochez's HIV-positive status, and for giving false information to the Ministry of Health (MOH) and the police.

The suspension, which came into effect on Mar 7, was ordered by an Interim Orders Committee (IOC), said the SMC.

related: Doctor at heart of HIV data leak claims he lied to police to 'retaliate' against MOH 'discrimination'

read more

MOH: IT error causes about 7,700 Singaporeans to receive wrong CHAS subsidies

The Ministry of Health (MOH) released a statement on February 16 (Saturday), saying that about 7,700 people who applied or renewed their Community Health Assist Scheme (CHAS) cards between September and October last year received miscalculated subsidies. The error was caused by a computer system malfunction. CHAS is an initiative by the government to provide healthcare subsidies to its members.

According to an article published by Channel NewsAsia, about 1,300 of the individuals affected by the software issue received lower subsidies while the other 6,400 got more than what was due to them. The excess and deficit amounts were estimated to be about S$2 million and S$400,000 respectively. The S$2 million will be covered for by NCS, the IT services and solutions provider who administered the computer system, as per their contract.

The individuals who received lower subsidies will have the lacking amount reimbursed. On the other hand, those who got an excess could keep the difference.

read more

HIV status of 14,200 people leaked online
UNAUTHORISED POSSESSION AND DISCLOSURE OF INFORMATION FROM HIV REGISTRY

Following an alert by the Police, the Ministry of Health (MOH) has ascertained that confidential information regarding 14,200 individuals diagnosed with HIV up to January 2013, and 2,400 of their contacts, is in the possession of an unauthorised person. The information has been illegally disclosed online. We have worked with the relevant parties to disable access to the information.

We are sorry for the anxiety and distress caused by this incident. Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance.

On 22 January, MOH was notified by the Police that confidential information from MOH’s HIV Registry[1] may have been disclosed by an unauthorised person. MOH made a Police report on 23 January. On 24 January, MOH ascertained that the information matched the HIV Registry’s records up to January 2013.From 24 to 25 January, MOH worked with the relevant parties to disable access to the information.

read more

SingHealth system hit by 'massive' cyberattack
Fear, trust and a willingness to help others

In the wake of Singapore's worst data breach to date, members of the public need to be alert to scammers who may tap on these emotions to trick them into giving up even more personal information, warned cybersecurity experts.

The authorities revealed last Friday that hackers had accessed the personal information of some 1.5 million people who visited SingHealth's hospitals, specialist centres & polyclinics between May 1, 2015, and July 4 this year.

Experts that The New Paper spoke to said such incidents could lead to identity theft, fraud & social engineering attacks, which use human psychology to manipulate victims into revealing confidential information.

read more

related:
Spate of Online Scams