Continue reading this on our app for a better experience

Open in App
Floating Button
Home Views In print this week

Complacency, organisational inertia the new virus

Benjamin Cher
Benjamin Cher • 3 min read
Complacency, organisational inertia the new virus
SINGAPORE (Dec 28): Industry experts and organisations say attacks and data breaches are all but inevitable. In fact, by year-end, it would be hard to find someone who has not had at least one piece of personal information — whether name, gender, addres
Font Resizer
Share to Whatsapp
Share to Facebook
Share to LinkedIn
Scroll to top
Follow us on Facebook and join our Telegram channel for the latest updates.

SINGAPORE (Dec 28): Industry experts and organisations say attacks and data breaches are all but inevitable. In fact, by year-end, it would be hard to find someone who has not had at least one piece of personal information — whether name, gender, address or credit card number — stolen or exposed.

In Singapore, the largest breach the country has seen occurred in July, when the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong, was stolen from the SingHealth database.

As the nation reeled from the discovery, questions were asked about the timeline of the incident, specifically why it took the Ministry of Health so long to publicly disclose the breach. The breach took place on June 27 and was discovered on July 4. But the public was only informed on July 20.

Furthermore, statements made by the head of the Cyber Security Agency of Singapore, David Koh — that the information stolen, including names, dates of birth, National Registration Identity Card numbers, was only “basic demographic data” — were even more puzzling. On July 24, the Monetary Authority of Singapore issued an advisory to banks, asking them to tighten their customer verification process in the light of the breach.

More details of the breach have emerged as the government convened a Committee of Inquiry (COI) to look into the event. Significantly, the main cause of the lengthy lapse between the breach and the alert to the Cyber Security Agency (CSA) of Singapore was the reluctance of Integrated Health Information Systems senior manager Ernest Tan to report the suspicious network activity to his superiors. IHiS manages and integrates Singapore’s healthcare IT systems.

During a hearing on Oct 31, Tan said he felt there would be “no day, no night” for him and his colleagues once the matter was reported, meaning they would likely be working around the clock to provide information and updates to their superiors.

The COI also heard there was doubt over the ownership of the healthcare database, which meant the management of it was unclear. Also, the database had not been tested for vulnerabilities despite it being considered part of critical information infrastructure. And, there was no formal protocol for IHiS staff to follow in the event of a cyberattack.

“The culture in the region is not to report bad news unless [you] have to. Now, what you are seeing is the impact of laws and regulations as they roll into the region,” says Barry Greene, principal architect at content delivery network Akamai Technologies, “My personal experience is that I see tons of nasty stuff in the region; it just hasn’t been talked about.”

So what more can be expected in 2019?

Subscribers can log in and read the story Securing your data is only going to get more challenging here. Or click here to subscribe.

Highlights

Re test Testing QA Spotlight
1000th issue

Re test Testing QA Spotlight

Get the latest news updates in your mailbox
Never miss out on important financial news and get daily updates today
×
The Edge Singapore
Download The Edge Singapore App
Google playApple store play
Keep updated
Follow our social media
© 2024 The Edge Publishing Pte Ltd. All rights reserved.