Personal data of 2,400 MINDEF, SAF personnel potentially affected; 2 vendors hit by malware
SINGAPORE: The personal data of 2,400 Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) personnel may be affected by a potential ST Logistics personal data breach.
ST Logistics said in a media release on Saturday (Dec 21) that the potential breach was a result of a recent series of email phishing activities involving malicious malware sent to its employees’ email accounts.
“This data, contained in working files residing in affected workstations, may have been exfiltrated,” it added.
MINDEF said in a statement that preliminary investigations indicate that the personal data could have been leaked.
The affected systems contained full names and NRIC numbers, and a combination of contact numbers, email addresses or residential addresses.
ST Logistics said that it had carried out “extensive forensic investigations” into these activities through its own cyber security team and with the support of external cyber security experts.
The company also added that it informed the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT) of the "possible breach" of personal data on Dec 16.
The company operates several logistics services, including an eMart retail and equipping service for MINDEF and SAF personnel since 1999.
“In some instances, to ensure that these services are carried out correctly, some personal data is utilised,” it said.
ST Logistics chief executive officer Loganathan Ramasamy said that the company is committed to ensuring that all personal data in the company’s possession is treated with “high standards of integrity”.
“We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected,” he added.
DATA OF 98,000 PERSONNEL IN AFFECTED HMI INSTITUTE SERVER
In a separate data incident, the HMI Institute of Health Sciences said that it discovered a file server to be encrypted by ransomware on Dec 4.
The affected server, which primarily contained backup information, was immediately taken offline and isolated from the Internet and internal network, HMI Institute said in a media advisory on Saturday.
The institute added that its learning management system was not impacted and that daily operations were “unaffected and continued as usual”.
Preliminary investigations indicated that the likelihood of a data leak to external parties was low, MINDEF said, adding that the affected system contained personal data of 120,000 individuals.
This included the full names and NRIC numbers of about 98,000 MINDEF and SAF personnel who previously attended a cardiopulmonary resuscitation and automated external defibrillation (AED) course.
The HMI Institute has been contracted by the SAF to conduct CPR and AED training for MINDEF and SAF personnel since 2016.
Data containing full names, NRIC numbers, contact numbers, email addresses, dates of birth and residential addresses of other HMI Institute customers was also affected.
Upon discovery of the incident, HMI Institute said it immediately engaged a cybersecurity firm to conduct investigations.
The institute said the findings so far show that the likelihood of a data leak was low and that the incident was a “random and opportunistic attack” on the file server.
There was also no evidence that the information had been copied or exported, the institute added.
“We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused,” said HMI Institute executive director Mr Tee Soo Kong.
Additional measures to fortify the institute’s systems against increasingly sophisticated cyber intrusions have also been put in place, he added.
HMI Institute said it has reported the incident to the PDPC and SingCert.
It is also currently completing the implementation of additional IT security enhancement initiatives including the establishment of a secured wide-area network and an enhanced cybersecurity protection suite.
Affected students and applicants have been informed via multiple communication channels including emails, letters and face-to-face meetings.
Students and applicants may email or call the institute should they have further enquiries regarding the incident, said the institute.
SECURITY OF SYSTEMS AN "IMPORTANT FACTOR"
MINDEF and the SAF said they take a serious view on the secure handling of personal data by their vendors.
“The security of their IT systems is an important factor that will be taken into account in the award of contracts,” MINDEF said.
MINDEF added that it is also engaging other vendors who hold information of MINDEF and SAF personnel to strengthen the security of their IT systems.
The PDPC is also conducting investigations into both cases, MINDEF said.
In response to the malware incidents, Defence Cyber Chief Brigadier-General Mark Tan said: “The malware incidents affected the IT systems of our vendors. Although MINDEF/SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data."
He added that MINDEF and the SAF will review the cybersecurity standards of their vendors to ensure that they are able to protect their personnel’s personal data and information.
Affected personnel will be notified from Saturday, said MINDEF.