SINGAPORE: The personal data of 4,297 people has been compromised after part of the Singapore Red Cross' (SRC) website was hacked, according to a statement by the organisation on Thursday (May 16).
SRC said its web developer alerted it last Wednesday to an incident of unauthorised access to the part of its website which supports the recruitment of interested blood donors.
Members of the public can indicate their interest in donating blood through the website, and SRC then makes the appointments on their behalf.
"The following information of 4,297 individuals who had registered their interest on the website was compromised: Name, contact number, email, declared blood type, preferred appointment date/time and preferred location for blood donations," said SRC, adding that no other information was affected.
It said its other databases were not compromised, and the Health Sciences Authority’s (HSA) systems were also unaffected by the incident.
The organisation made a police report the same day. It also reported the incident to the Personal Data Protection Commission and HSA. Police investigations are ongoing, it added.
A weak administrator password could have left the website vulnerable, said SRC, adding that investigations to determine how the incident happened are ongoing.
"There were measures in place to guard against unauthorised access of the website," it said. "While our investigations to determine the nature of the unauthorised access are ongoing, our preliminary findings show that a weak administrator password could have left the website vulnerable to the unauthorised access."
It said that it had disconnected the website from Internet access, and replaced it with a temporary webpage with links to relevant websites as a precaution.
The website will only be reinstated when all security checks have been completed, added SRC.
External consultants have been engaged to carry out forensic investigations and determine the "exact factors" that allowed the unauthorised access, it said.
These findings and recommended measures will be reported to the SRC Council (Board) and SRC will take necessary action to strengthen its security measures, together with the advice of the organisation's IT advisory panel.
“Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks," said SRC’s secretary-general and chief executive officer Benjamin William.
"SRC has started to contact affected individuals. We apologise to the users of our website whose information may have been affected by this incident.”
A spokesman for the Personal Data Protection Commission said in response to CNA's queries that it is aware of the incident and is investigating the matter.
READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
SRC's case is the latest in a string of cybersecurity incidents to have hit healthcare-related systems in Singapore.
In March this year, HSA said that the personal information of more than 800,000 blood donors was left exposed on the Internet for nine weeks after the data was mishandled by its vendor.
In January, the HIV-positive status of 14,200 people – along with confidential information such as their identification numbers and contact details – was leaked online.
In July last year, the Government made public a cyberattack on SingHealth, calling it the "most serious breach of personal data" in Singapore's history.
The incident saw 1.5 million SingHealth patients' records accessed and copied, while 160,000 of those had their outpatient dispensed medicines’ records taken. Among those affected was Prime Minister Lee Hsien Loong.