Blood donor data leak: HSA's vendor says information that went online was accessed illegally and possibly extracted
SINGAPORE: Secur Solutions Group (SSG), a vendor of the Health Sciences Authority (HSA) that mishandled the data of more than 800,000 blood donors earlier this year, on Saturday (Mar 30) said that information was accessed illegally and possibly extracted.
The information, which included names and NRIC numbers, was only secured on Mar 13 after a cybersecurity expert discovered the vulnerability and alerted authorities. Preliminary investigations by HSA showed that other than the expert who flagged the vulnerability, no other unauthorised person had accessed the database online.
Now SSG has said that its server was also accessed suspiciously from several other IP addresses.
"Subsequent forensic analysis has now shown that between Oct 22, 2018 and Mar 13, 2019, the server was also accessed suspiciously from several other IP addresses," SSG said in its statement.
"Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated. The database referred to above contains no other sensitive, medical or contact information."
It added: "There had been earlier attacks on the same server that had occurred in 2017. These attacks are unrelated to the current incident, and there is no evidence to suggest that they compromised any HSA data.
"SSG is continuing its investigations into the matter, and is cooperating fully with the police and HSA. SSG sincerely apologises to all affected blood donors."
"BLOOD BANK SYSTEM REMAINS SECURE": HSA
HSA also issued a statement on the matter on Saturday, saying it will decide on what steps to take once investigations carried out by the police and SSG have concluded.
"HSA has been made aware of the matters in SSG statement, both by SSG and through investigations by the police," it said.
"It shows that there was more access to the data than had been initially assessed by SSG. However HSA's centralised blood bank system, which is not connected to the SSG server, remains secure.
"HSA takes a serious view of this matter. SSG is in breach of its contractual obligations. Police investigations are continuing. HSA will decide on what steps it should take vis-à-vis SSG, once the investigations are concluded."
On Mar 13 at 9.13am, HSA was informed by the Personal Data Protection Commission (PDPC) that a cybersecurity expert had alerted them to the database vulnerability. HSA then contacted Secur Solutions at 9.35am to remove the unsecured database from the Internet, and it was fully secured at 10am, it said.
Preliminary investigations by HSA showed that its centralised blood bank systems were not affected. The agency added that it has made a police report.
HSA CEO Mimi Choong apologised to blood donors over the lapse by its vendor.
"We would like to assure donors that HSA's centralised blood bank system is not affected," she said.
"HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information."
An HSA spokesperson also told CNA it is considering available legal options, including "termination of the vendor's services".
This is the fourth IT-related incident to have hit the Health Ministry in the past nine months, including the SingHealth cyberattack last June that saw the health records of 1.5 million Singaporeans stolen.