SINGAPORE: As the dust settles on the “most serious breach of personal data” in Singapore’s history - which compromised the records of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong - questions have surfaced on whether the authorities responded in a timely enough manner once the threat of a cyberattack was detected.
Database administrators from the Integrated Health Information System (IHiS) detected unusual activity on SingHealth’s IT systems on Jul 4 and put a stop to the data breach activities. It was later that they found out data had been illegally copied and stolen beginning from Jun 27 – eight days before the cyberattack was detected.
From Jul 4 to Jul 9, the administrators continued to monitor the network traffic closely before ascertaining it was a cyberattack and alerted their superiors. On Jul 10, MOH, SingHealth and the Cybersecurity Agency of Singapore (CSA) were informed and forensic investigations carried out.
Mr Jonathan Phua, the co-founder of startup InsiderSecurity, which specialises in early breach detection, told Channel NewsAsia that if an attacker was able to hide in an IT system long enough to steal 1.5 million patients’ records, then the time taken to detect and respond to the threat was “too long”.
But, Mr Phua said it is not easy to detect a sophisticated attacker hiding inside the system, especially if it is state-sponsored – something that other industry experts have stated was a likelihood.
The former DSO National Laboratories researcher pointed to the 2017 Equifax breach, when the personal data of around 150 million US consumers was lost, which was discovered only three months later. Another incident involving the US Office of Personnel Management saw around 20 million employee records stolen in 2015, and that was discovered a year later, he added.
HACK DISCLOSURE A "NOBLE THING TO DO"
Darktrace Asia Pacific managing director Sanjay Aurora said last Friday when news of the hack came to light that for SingHealth to have detected, investigated and reported the incident within a month was a “comparative success”.
“How many other countries around the world are capable of even detecting this attack within a month, let alone be able to conduct a full investigation in this short time period?" Mr Aurora said.
Mr Jeff Hurmuses, managing director of Asia Pacific at US-based cybersecurity firm Malwarebytes, also concluded that the IHiS database administrators acted "promptly" to stem the data leak.
"They actually responded to the breach and disclosed it to potentially affected users very quickly," he said.
FireEye’s Asia Pacific president Eric Hoh lauded the Singapore Government’s decision to notify the public of the SingHealth hack.
“CSA and the Singapore Government have done a good job detecting (the cyberattack) in a timely manner and publicly disclosing the incident – which is a very noble thing to do,” Mr Hoh told Channel NewsAsia, adding that the tendency is there for victims to “sweep the matter under the rug”.
Mr Bill Chang, Singtel's CEO for Group Enterprise, which includes cybersecurity company Trustwave, also said the fact that Government agencies managed to detect, confirm, isolate and mitigate the threat "within just a few days is a robust response".
He added that for advance persistent threat (APT) attacks, the median for companies to detect sophisticated breaches is more than 100 days and they can take up to 60 days to respond and mitigate the breach.
Mr Rajesh Sreenivasan, head of Technology, Media and Telecommunications at Rajah & Tann, said in a phone interview that it is “near impossible” to judge if the Singapore authorities had responded to the detection of the breach in a timely manner without knowing the specifics.
“The reality is that (the) breach notification could be done in stages,” Mr Sreenivasan said.
He added: “Sometimes, the cyberattacks could be part of a larger series of attacks, and notifying the public too early could compromise investigations.”
The lawyer also responded to questions over whether IHiS failed to comply with the Cybersecurity Act, which requires owners of critical information infrastructure in 11 key sectors – of which healthcare is part of – to notify Singapore’s cybersecurity commissioner of “a prescribed cybersecurity incident”, among others. It does not state a timeframe for reporting incidents.
Mr Sreenivasan pointed out that IHiS did not fall foul of the law because the legislation is not yet in force.
Mr Bryan Tan, partner at Pinsent Masons, agreed, adding that the timeframe for notification has not been set.
He did point out that, on a general level, it is a “fair question” why the regulators and affected people were not informed of the data breach earlier. He also questioned why the Personal Data Protection Commission (PDPC), which has been investigating data breaches here, does not appear to be involved in this particular case.
COMMON DATA LAWS FOR PUBLIC AND PRIVATE SECTORS?
Another issue that was raised after the SingHealth hack was how consumers have no clear recourse when a data breach or violation involves a government entity, since the public sector is not included under the country’s Personal Data Protection Act (PDPA). Mr Sreenivasan said it is also unclear which entity is regulated under the law and which is not.
The cyberattack on SingHealth was just one of several that had targeted public sector agencies. In April this year, four Singapore universities were victims of online attacks, with at least 52 online accounts breached to obtain research articles without authorisation.
In April 2017, National University of Singapore and Nanyang Technological University were hit by IT network breaches, while that same year, the Ministry of Defence revealed its I-net system was attacked and the personal data of 850 national servicemen and employees was stolen.
Mr Tan said: “The impression given is that the biggest data breaches seem to involve government agencies (schools, MINDEF) and with the lack of details provided, one can only wonder whether the internal data protection standards adopted are sufficient given the higher risk profile.”