Personal data of 2,400 Mindef, SAF personnel potentially affected by data breach

[The_King]

SINGAPORE — The authorities are investigating two malware incidents that could have led to the leak of personal data of thousands of personnel from the Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF). 

The incidents involved third-party vendors, the HMI Institute of Health Sciences and ST Logistics.

The systems at ST Logistics affected by the malware contained full names and NRIC numbers and a combination of contact numbers, email addresses or residential addresses of about 2,400 Mindef and SAF personnel. 

Preliminary investigations indicate that the personal data could have been leaked, Mindef said in a statement on Saturday (Dec 21).

ST Logistics, which is contracted to provide logistics services such as eMart retail and equipping services for Mindef and SAF personnel, said in a statement that the potential breach was a result of a recent series of email phishing activities involving malicious malware sent to its employees’ email accounts.

“This data, contained in working files residing in affected workstations, may have been exfiltrated,” it said.

ST Logistics added that it has carried out “extensive forensic investigations” into these activities through its own cyber security team and with the support of external cyber security experts.

HMI Institute, meanwhile, discovered a file server to be encrypted by ransomware on Dec 4. 

The institute is contracted by the SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training for Mindef and SAF personnel 

The affected server primarily contained backup information on 120,000 individuals, such as their full names, NRIC numbers, dates of birth, home addresses and email addresses, depending on the course they had enrolled or applied for. 

Among the affected individuals, about 98,000 are SAF servicemen who attended the Cardio Pulmonary Resuscitation and Automated External Defibrillation course, whose full names and NRIC numbers were backed up in the affected server.

Upon discovery of the incident, HMI Institute said it immediately engaged a cybersecurity firm to conduct investigations. 

“The findings so far show that the incident was a random and opportunistic attack on the file server. Also, based on the investigation findings of the cybersecurity firm, while the information in the affected server was encrypted, there is no evidence that it has been copied or exported, hence there is a low likelihood of a data leak.”

The affected file server has since been decommissioned from use and the institute’s main student registry remains intact and unaffected, it added.

Both companies have informed the Personal Data Protection Commission and the Singapore Computer Emergency Response Team of the incidents, they said. They are also informing all affected individuals.

Mindef said in its statement that the ministry and the SAF take a serious view on the secure handling of personal data by their vendors. 

“The security of their IT systems is an important factor that will be taken into account in the award of contracts. Mindef/SAF is also engaging other vendors who hold information of Mindef/SAF personnel to strengthen the security of their IT systems,” it added. 

Defence Cyber Chief Brigadier-General Mark Tan said that although Mindef and SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of their personnel’s personal data. 

“We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information.”

ST Logistics chief executive officer Loganathan Ramasamy said that the company is committed to ensuring that all personal data in the company’s possession is treated with “high standards of integrity”.

“We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected,” he said.

HMI Institute executive director Tee Soo Kong said the institute has put in place additional measures to fortify its systems against increasingly sophisticated cyber intrusions

“We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused. Preserving their privacy and keeping their personal data safe are our highest priority,” he added.
Read more at https://www.todayonline.com/singapore/personal-data-2400-mindef-saf-personnel-potentially-affected-data-breach

 

 

https://www.todayonline.com/singapore/personal-data-2400-mindef-saf-personnel-potentially-affected-data-breach

[XianGe]

No pay enough money?

[The_King]

that the 01100100 01101001 01100111 01101001 01110100 01100001 01101100 00100000 01110111 01101111 01110010 01101100 01100100 

[Satki]

The number of data leaks by G coupled by their bragging makes us the joke. Is it we over relied on ceca?

[aaur4man]

Cybersecurity in SG is merely a buzzword

 

Quite obvious our standards when security means unplugging internet

 

When Punggol IT hub is up, wait and see whether it's by locals or CECA, then u know whether our cybersec will be in sorry state in future

Edited December 22, 2019 by aaur4man

[socrates469bc]

1 hour ago, Satki said:

The number of data leaks by G coupled by their bragging makes us the joke. Is it we over relied on ceca?

 

dont worry, boeing is the best case study.

 

now they paying the price for cost cutting.

 

even when their senior program manager signal the incompetency, the management still insist on cost cutting.

 

now, i estimate they will be paying at least usd3bln in compensation for accident victims and then at least another usd10bln for delayed shipment plus another usd10bln for fixes/  supplier compensation.

 

these stupid managers never learn from bp's deepwater horizon.

 

https://www.business-standard.com/article/international/boeing-put-flyers-at-risk-with-9-an-hour-pay-to-737-max-software-engineers-119062900267_1.html

[XianGe]

21 minutes ago, socrates469bc said:

 

dont worry, boeing is the best case study.

 

now they paying the price for cost cutting.

 

even when their senior program manager signal the incompetency, the management still insist on cost cutting.

 

now, i estimate they will be paying at least usd3bln in compensation for accident victims and then at least another usd10bln for delayed shipment plus another usd10bln for fixes/  supplier compensation.

 

these stupid managers never learn from bp's deepwater horizon.

 

https://www.business-standard.com/article/international/boeing-put-flyers-at-risk-with-9-an-hour-pay-to-737-max-software-engineers-119062900267_1.html

 

Tink many manyzers out there still never learn...