Data of 2,400 MINDEF/SAF Personnel Potentially Exposed in Vendor Data Breach
The personal data of 2,400 Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) personnel may be affected by a potential ST Logistics personal data breach, one of two vendor-related incidents reported in late 2019.
ST Logistics Breach via Phishing Attack
ST Logistics said in a media release that a potential breach was the result of a recent series of email phishing activities involving malicious malware sent to its employees’ email accounts. “This data, contained in working files residing in affected workstations, may have been exfiltrated,” it added.
MINDEF said in a statement that preliminary investigations indicate that the personal data could have been leaked. The affected systems contained full names and NRIC numbers, and a combination of contact numbers, email addresses or residential addresses.
The company operates several logistics services, including an eMart retail and equipping service for MINDEF and SAF personnel. It informed the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT) of the "possible breach" of personal data on Dec 16.
“We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected.”
Data Of 98,000 Personnel In Affected HMI Institute Server
In a separate data incident, the HMI Institute of Health Sciences said that it discovered a file server to be encrypted by ransomware on Dec 4. The affected server, which primarily contained backup information, was immediately taken offline and isolated.
Preliminary investigations indicated that the likelihood of a data leak to external parties was low. The affected system contained the full names and NRIC numbers of about 98,000 MINDEF and SAF personnel who had attended a CPR and AED course.
HMI Institute said the findings so far show that the incident was a “random and opportunistic attack” and there was no evidence that the information had been copied or exported.
“We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused.”
Affected students and applicants have been informed via multiple communication channels.
Security Of Systems An "Important Factor"
MINDEF and the SAF said they take a serious view on the secure handling of personal data by their vendors. “The security of their IT systems is an important factor that will be taken into account in the award of contracts,” MINDEF said.
“The malware incidents affected the IT systems of our vendors. Although MINDEF/SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data."
Affected personnel will be notified. MINDEF added that it will review the cybersecurity standards of its vendors to ensure that they are able to protect their personnel’s personal data and information. The PDPC is also conducting investigations into both cases.
