SINGAPORE: As the dust settles on the “most serious breach of personal data” in Singapore’s history, with Prime Minister Lee Hsien Loong's medical records among those stolen, there have been questions asked if authorities responded in a timely enough manner once the threat of a cyberattack had been detected.
Database administrators from the Integrated Health Information System (IHIS) detected unusual activity on SingHealth’s IT systems on Jul 4 and put a stop to the data breach activities. It was later that they found out data had been illegally copied and stolen beginning from Jun 27 – eight days before the cyberattack was detected.
AdvertisementFrom Jul 4 to Jul 9, they continued to monitor the network traffic closely before ascertaining it was a cyberattack and alerted superiors. On Jul 10, MOH, SingHealth and the Cybersecurity Agency of Singapore (CSA) were informed and forensic investigations carried out.
One cybersecurity practitioner, Mr Jonathan Phua, commented on the speed of response, saying perspective is everything.
The co-founder of startup InsiderSecurity, which specialises in early breach detection, told Channel NewsAsia that if an attacker is able to hide in an IT system long enough to steal 1.5 million patients’ records, then the threat detection and response times are “too long”.
That said, Mr Phua said it is not easy to detect a sophisticated attacker hiding inside the system, especially if it is state-sponsored – a conclusion that other industry experts have stated as a likelihood.
AdvertisementAdvertisementThe former DSO National Laboratories researcher said in the 2017 Equifax breach, when the personal data of around 150 million US consumers are lost, it took around three months to discover the breach. Another incident involving the US Office of Personnel Management saw around 20 million employee records stolen in 2015, and it took around 12 months before the attack was discovered, he added.
HACK DISCLOSURE A "NOBLE THING TO DO"
Darktrace Asia Pacific managing director Sanjay Aurora said last Friday when news of the hack came to light that for SingHealth to have detected, investigated and reported the incident within a month is a “comparative success”.
“How many other countries around the world are capable of even detecting this attack within a month, let alone be able to conduct a full investigation in this short time period?" Mr Aurora said.
Mr Jeff Hurmuses, managing director of Asia Pacific at US-based cybersecurity firm Malwarebytes, also concluded that the IHIS database administrators acted "promptly" to stem the data leak.
"They actually responded to the breach and disclosed it to potentially affected users very quickly," he said.
FireEye’s Asia Pacific president Eric Hoh was another that lauded the Singapore Government’s decision to notify the public of the SingHealth hack.
“CSA and the Singapore Government have done a good job detecting (the cyberattack) in a timely manner and publicly disclosed the incident – which is a very noble thing to do,” Mr Hoh told Channel NewsAsia, adding the tendency is there for victims to “sweep the matter under the rug”.
Mr Rajesh Sreenivasan, head of Technology, Media and Telecommunications at Rajah & Tann, said in a phone interview that it is “near impossible” to judge if the Singapore authorities responded to the detection of the breach in a timely manner without knowing the specifics.
“The reality is that (the) breach notification could be done in stages,” Mr Sreenivasan said.
He added: “Sometimes, the cyberattacks could be part of a larger series of attacks, and notifying the public too early could compromise investigations.”
The lawyer also responded to question marks over whether IHIS failed to comply with the Cybersecurity Act in terms of notifying authorities of the breach in a timely manner.
The law requires owners of critical information infrastructure in 11 key sectors – of which healthcare is part of – to notify Singapore’s cybersecurity commissioner of “a prescribed cybersecurity incident”, among others. It does not state a timeframe for reporting said incident.
Mr Sreenivasan pointed out that IHIS did not fall foul of the law because the legislation is not yet in force.
This was reiterated by Mr Bryan Tan, partner at Pinsent Masons, who said the Cybersecurity Act is not yet implemented and the notification timeline has yet to be set out when the SingHealth hack took place.
He did point out that, on a general level, it is a “fair question” why the regulators and affected persons were not informed of the data breach quicker. He also questioned why the Personal Data Protection Commission (PDPC), which has been investigating data breaches here, does not appear to be involved in this particular case.
COMMON DATA LAWS FOR PUBLIC AND PRIVATE SECTORS?
Another issue that was raised after the SingHealth hack was how consumers have no clear recourse when a data breach or violation involves a government entity, since the public sector is not included under the country’s Personal Data Protection Act.
Mr Sreenivasan said the PDPA can be "quite murky" at times in terms of which entity is regulated under the law and which isn't.
The cyberattack on SingHealth is just one of several targeting public sector agencies. In April this year, four Singapore universities were victims of online attacks, with at least 52 online accounts’ credentials harvested and used to access their libraries to obtain research articles without authorisation.
Before that, it was revealed that National University of Singapore and Nanyang Technological University were at the wrong end of IT network breaches, while that same year, the Ministry of Defence revealed its I-net system was breached and the personal data of 850 national servicemen and employees stolen.
Mr Tan said: “The impression given is that the biggest data breaches seem to involve government agencies (schools, MINDEF) and with the lack of details provided, one can only wonder whether the internal data protection standards adopted are sufficient given the higher risk profile.”
Let's block ads! (Why?)
More...