SingHealth cyberattack should be taken as a warning to all organisations to review their systems: Iswaran

SINGAPORE: All organisations should take the recent SingHealth cyberattack as a warning to review their cybersecurity system, and ensure the protection of their IT systems and databases, including personal data, Minister for Communications and Information S Iswaran said on Monday (Aug 6).

Delivering a ministerial statement on the incident in Parliament, Mr Iswaran stressed that this applies to all organisations, not just operators of critical information infrastructure (CII). CII refers to sectors that are responsible for the continuous delivery of essential services in Singapore, including Government, infocomm, energy and aviation. 

Last month, cyberattackers stole 1.5 million SingHealth patients’ records in what was described as the "most serious breach of personal data” in Singapore’s history.

The 1.5 million individuals had their non-medical records – including their name, NRIC, address and date of birth – illegally accessed and copied in the cyberattack. About 160,000, including Prime Minister Lee Hsien Loong, also had their dispensed medicines records taken.

Addressing concerns that the data stolen through the SingHealth cyberattack could be used for fraudulent transactions or identity theft, Mr Iswaran emphasised that there are multiple safeguards in place to mitigate such risks. This is especially so, he said, for financial transactions and sensitive Government e-transactions.

For example, all banks and insurance companies in Singapore already have two-factor authentication (2FA) for online financial services, such as making fund transfers or accessing account details. An additional authentication layer also protects higher-risk transactions such as adding a third-party payee, he added.

The Monetary Authority of Singapore (MAS) had last month also directed all financial institutions to take further measures. 

Mr Iswaran added that all sensitive Government e-transactions have also been protected by SingPass 2FA since July 2016.

But he also noted that individuals can also do their part by practising good personal data protection and cybersecurity habits.

“They should ensure that their passwords, user IDs and security questions are not based on personal data, use strong passwords, enable 2FA for online transactions and watch out for fraudulent transactions and suspicious requests for personal data,” he said.

In concluding his speech, Mr Iswaran emphasised that the cyberattack was “well-planned and targeted”. The Government, he said, will get to the bottom of the incident, learn from it, and further strengthen Government IT systems.

But he cautioned that the risk of another cyberattack breaking through the Government’s defences cannot be completely eliminated.

“Ensuring cybersecurity is a ceaseless battle, like our battle against terrorism,” he said. “It involves changing technology and sophisticated perpetrators who are constantly developing new techniques and probing for fresh weaknesses.”

“Therefore, even as we do our best to strengthen our IT systems, it is crucial that our people and systems remain resilient; that we are able to respond robustly and decisively to an incident, and that we constantly learn and reinforce our system.”

He added that after learning and applying the lessons from the incident, Singapore must press on with its plans for a Smart Nation.

“We must adapt ourselves to operate effectively and securely in the digital age, to deliver better public services, enhance our economic competitiveness, and create good jobs and opportunities for Singaporeans,” he said.