Leaked data of 800,000 blood donors in S’pore accessed illegally, possibly stolen

[beyond]

It was earlier reported on Mar. 15 that the records of over 800,000 blood donors in Singapore were accidentally put online by a vendor.

Put online by vendor

According to the Health Sciences Authority (HSA), their vendor, Secur Solutions Group Pte Ltd (SSG), was working on a database containing 808,201 blood donors’ personal information.

SSG was provided with this database for updating and testing.

SSG uploaded the database in an internet-facing server earlier this year on January 4, 2019 but failed to secure the server adequately.

The database was discovered by a cybersecurity expert who subsequently alerted the Personal Data Protection Commission (PDPC). PDPC then informed HSA on March 13 at 9:13 am which then contacted SSG to fully secure the access by 10 am.

According to HSA’s Mar. 15 statement, aside from the cybersecurity expert, no other unauthorised person accessed this database.

Accessed by others

In a Mar. 30 statement by SSG, they have now confirmed that the data was accessed suspiciously from several other IP addresses between October 2018 and March 2019.

SSG said that based on this information, it cannot “exclude the possibility that registration-related information of donors on the server was exfiltrated”. It added that the database referred contained “no other sensitive, medical or contact information”.

SSG also revealed that there were “earlier attacks on the same server that had occurred in 2017”. It shared that the 2017 attacks were unrelated to the current incident, and “there is no evidence to suggest that they compromised any HSA data”.

Police investigating

In a statement on Mar. 30, HSA said that it had “been made aware of the matters in Secur Solutions Group’s (SSG) statement, both by SSG and through investigations by the Police”.

It added that HSA’s centralised blood bank system, which is not connected to the SSG server, remained secure.

HSA added that SSG was in breach of its contractual obligations. HSA said it would decide “on what steps it should take vis-à-vis SSG, once the investigations are concluded”.

[aaur4man]

Secure also spell wrongly, what to do

[ODACHEK]

On 3/31/2019 at 5:09 AM, beyond said:

It was earlier reported on Mar. 15 that the records of over 800,000 blood donors in Singapore were accidentally put online by a vendor.

Put online by vendor

According to the Health Sciences Authority (HSA), their vendor, Secur Solutions Group Pte Ltd (SSG), was working on a database containing 808,201 blood donors’ personal information.

SSG was provided with this database for updating and testing.

SSG uploaded the database in an internet-facing server earlier this year on January 4, 2019 but failed to secure the server adequately.

The database was discovered by a cybersecurity expert who subsequently alerted the Personal Data Protection Commission (PDPC). PDPC then informed HSA on March 13 at 9:13 am which then contacted SSG to fully secure the access by 10 am.

According to HSA’s Mar. 15 statement, aside from the cybersecurity expert, no other unauthorised person accessed this database.

Accessed by others

In a Mar. 30 statement by SSG, they have now confirmed that the data was accessed suspiciously from several other IP addresses between October 2018 and March 2019.

SSG said that based on this information, it cannot “exclude the possibility that registration-related information of donors on the server was exfiltrated”. It added that the database referred contained “no other sensitive, medical or contact information”.

SSG also revealed that there were “earlier attacks on the same server that had occurred in 2017”. It shared that the 2017 attacks were unrelated to the current incident, and “there is no evidence to suggest that they compromised any HSA data”.

Police investigating

In a statement on Mar. 30, HSA said that it had “been made aware of the matters in Secur Solutions Group’s (SSG) statement, both by SSG and through investigations by the Police”.

It added that HSA’s centralised blood bank system, which is not connected to the SSG server, remained secure.

HSA added that SSG was in breach of its contractual obligations. HSA said it would decide “on what steps it should take vis-à-vis SSG, once the investigations are concluded”.

KNN, what's next? Sperm bank leaked?