SINGAPORE: The Ministry of Defence (MINDEF) will strengthen oversight of its vendors after two of them were hit separately by potential data breaches, said Minister for Defence Dr Ng Eng Hen in a written parliamentary reply on Monday (6 Jan).
He was responding to questions posed by MPs Rahayu Mahzam and Png Eng Huat about the impact of the incidents, which were reported in December last year.
The ministry will take reference from the recommendations of the Public Sector Data Security Review Committee (PSDSRC) and implement a framework to ensure that vendors protect their data well, Dr Ng said.
"MINDEF will also implement a tiered cybersecurity framework to ensure that vendors handling more sensitive data are subject to more stringent cybersecurity standards, which may include regular audits.
"As the risks will continue to evolve, we will continually monitor developments and enhance our cyber and data security measures."
On December 21, it was reported that the personal data of 2,400 MINDEF and Singapore Armed Forces (SAF) personnel may have been affected by a potential ST Logistics personal data breach.
The possible breach was a result of a recent series of email phishing activities containing malware sent to its employees’ email accounts.
In a separate data incident, the HMI Institute of Health Sciences said that it discovered a file server to be encrypted by ransomware on Dec 4.
The HMI Institute is contracted by the SAF to conduct cardiopulmonary resuscitation (CPR) and automated external defibrillation (AED) training for MINDEF and SAF personnel.
The affected system contained personal data of 120,000 individuals, of which about 98,000 are MINDEF and SAF personnel who previously attended a cardiopulmonary resuscitation and AED course.
Their full names and NRIC numbers were backed up in the affected server.
Both incidents were confined to the vendor's systems, and did not affect MINDEF's own systems or result in the loss of classified military information, said Dr Ng.
Prior to these incidents, MINDEF had begun including personal data protection clauses in all new contracts involving personal data, he said.
He added that the ministry had also been working with vendors, including HMI Institute and ST Logistics, to progressively apply such clauses to existing contracts.