Singhealth Data Breach 2018
"Singhealth data breach" which is the most serious personal data breach happened in Singapore, happened in June-July months in 2018. This affected the personal data of 1.5 million people including the personal data of prime minister of Singapore.
This article explains how attack unfolded (also with a nice diagram which explain the attacker movements and data exfiltration):
https://www.channelnewsasia.com/news/singapore/customised-uniquely-tailored-malware-singhealth-cyberattack-10794852
Impact
Following 3 articles explain what is the impact and penalties of this data breach, after the conclusion of theCommittee of Inquiry which was tasked with investigating the breach.
https://sg.news.yahoo.com/singhealth-cyberattack-ihis-fires-2-managers-financial-penalties-7-including-ceo-2-123715177.html
https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach
https://www.gov.sg/news/content/channel-newsasia---singhealth-coi-report
“Two senior managers at the Integrated Health Information Systems (IHiS) have been sacked for being “negligent” and “in non-compliance of orders” during the 2018 SingHealth cyberattack, which contributed to the unprecedented scale of the incident.
Five members of the IHiS senior management, including CEO Bruce Liang, have also been given a “significant financial penalty” for their collective leadership responsibility. A “moderate financial penalty” will be imposed on two middle management supervisors, said the central IT agency for the healthcare sector on Monday (14 January).
In addition, a Cluster Information Security Officer – who was not named but is believed to be Wee Jia Huo – who “failed to comply with IHiS’ incident reporting processes” has been demoted and re-deployed to another role.
An IHiS spokesperson noted that the Security Incident Response Manager – believed to be Ernest Tan – had “persistently held a mistaken understanding of what constituted a ‘security incident’, and when a security incident should be reported”.“His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack,” added the spokesperson. Consequently, both Tan and a Team Lead in the Citrix Team were told to go.
The Team Lead is believed to be Lum Yuan Woh.“Whilst there was no intent to cause or facilitate the cyberattack, both of them had failed to discharge the responsibilities entrusted on them.”The terminations are with immediate effect.“
“Singapore's privacy watchdog has meted out its largest fine of $750,000 to Integrated Health Information Systems (IHiS) for lapses in securing patient data which resulted in the nation's worst data breach. Even though IHiS is the technology vendor for Singapore's healthcare sector, SingHealth also has to take responsibility as the owner of the patient database system - a point that the Personal Data Protection Commission (PDPC) stressed in dishing out penalties. SingHealth was fined $250,000, the second largest here.
Note:
You can find the public report from COI available in following link:https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20into%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf
