Another massive data breach hits Singapore as investigations reveal new facts. Earlier this month, Singapore’s Health Sciences Authority (HSA) disclosed an inadvertent exposure of data of blood donors. As they continued with the investigation, they now confirm the compromise of the data to the attackers.
HSA Exposed Data Of 800K Blood Donors
A couple of weeks ago, the Health Sciences Authority (HSA) in Singapore issued a statement regarding ‘improper handling’ of user data. They confessed an inadvertent public exposure of data of blood donors registered with the service. The incident allegedly affected more than 800 thousand individuals.
As revealed in their notice, the breach happened due to one of HAS’s vendors Secur Solutions Group Pte Ltd (SSG) who mishandled HAS database. SSG allegedly left the database exposed online on an open server.
A security researcher noticed the vulnerability and reported the matter to the Personal Data Protection Commission. As per his observation, the database included records of 808,201 blood donors. The exposed information included blood donors’ names, gender, number of blood donations, last three blood donation dates, and NRIC. It also included other details such as height, weight, and blood type in some cases. However, it did not include medical information and contact details.
After knowing of the vulnerability, the vendors worked to close down the exposed database. As stated in their statement,
“HSA immediately worked with SSG to disable access to the database.”
Vendors Confirm Data Stolen By Attackers
In their earlier notification, HAS mentioned that their initial investigations did not hint any malicious access to the data or security breach.
“Preliminary findings from HSA’s review of the database logs show that other than the cybersecurity expert who raised the alert, no other unauthorised person had accessed the database.”
However, as they continued with the investigation, they found contradicting facts. According to their recent statement,
“It shows that there was more access to the data than had been initially assessed by SSG.”
According to the reports by Channel NewsAsia, SSG stated that they found suspicious access to their server.
“Subsequent forensic analysis has now shown that between Oct 22, 2018, and Mar 13, 2019, the server was also accessed suspiciously from several other IP addresses.”
Thus, they do not rule out the possibility of data exfiltration. Nonetheless, they are continuing with investigations to find more details.
HSA, on the other hand, confirmed that their central system remained secure.
“HSA’s centralised blood bank system, which is not connected to the SSG server, remains secure.”
They also mentioned that they will decide about the next steps regarding SSG after the investigations conclude.
In the previous year, Singapore suffered a terrible health data breach that exposed 1.5 million records, including that of the nation’s Prime Minister.