How data security review committee's recommendations could have prevented govt data breaches and leaks

The various data security incidents that occurred in the last few years prompted the Government to set up the high-level Public Sector Data Security Review Committee (PSDSRC), which on Wednesday (Nov 27) announced a host of recommendations to bolster data security.

The Government has accepted these recommendations and will implement them across most of its systems by the end of 2021, with the rest adopting the measures by the end of 2023.

In a press conference on Wednesday, Senior Minister Teo Chee Hean said that had these measures been in place, the impact of the past breaches of government data would have been minimised - and the breaches themselves could even have been prevented.

Here is a look at how some of these incidents could have been prevented with these new recommendations:

 

SingHealth cyberattack in 2018

[[nid:421748]]

In what was Singapore's worst cyber attack, the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, was stolen by hackers in June.

A skilled attacker managed to enter SingHealth's system, get past its defences and move around in the network without anyone noticing.

Reporting of the incident was also delayed by the IT security team, which gave the attacker more time to steal the data.

How would the measures have helped?

• Monitoring access to authorised and privileged users of the health data would have flagged the unauthorised use of such accounts, which was how the attacker overcame security measures.
• Increase in training focus for IT security staff would have equipped them to better recognise signs of an attack and handle it.
• Enhancing the data incident management framework would have ensured that all suspected incidents were promptly reported, instead of a delay in reporting, which is what happened in the cyber attack.

HIV registry leak in 2019

[[nid:436456]]

Between 2012 and 2013, a copy of the HIV registry was downloaded onto a thumb drive and then leaked on the Internet this year.

The confidential details of more than 14,000 people on the HIV Registry were illegally made public by American Mikhy K Farrera Brochez.

He had obtained the information that his partner Ler Teck Siang, a doctor who was head of the Ministry of Health's National Public Health Unit, had access to.  

How would the measures have helped?

• An unusual activity like downloading the registry would have been detected, and downloading of the data to an unauthorised device like a thumb drive would be disabled.
• Digital watermarking of the files would have helped in identifying the source of the leaked file.
• Replacing the names and details on the registry with unique identifiers, also known as tokenisation, would prevent the identification of the individuals.

Data leak of more than 1,900 pupils from Henry Park Primary School in 2015

[[nid:183097]]

A Microsoft Excel spreadsheet containing students' particulars was mistakenly sent out to some 1,200 parents, as the officer did not check the e-mail recipient list.

This document contained the names and birth certificate numbers of all 1,900 pupils in the school, along with the names, phone numbers and e-mail addresses of their parents.

How would the measures have helped?

• An e-mail data protection tool would have alerted the office that sensitive data was being sent to external parties. 

HSA blood donor database exposure in 2019

[[nid:440873]]

Secur Solutions Group (SSG), a Health Sciences Authority (HSA) vendor, had improperly stored the data of more than 800,000 blood donors on an unsecured server for over two months.

There were inadequate safeguards in place to prevent unauthorised access.

 

 

How would the measures have helped?

• With better accountability of third parties to handle government data and a framework to manage them, HSA could have better monitored and audited SSG's data security performance and identified unsafe practices.

This article was first published in The Straits Times. Permission required for reproduction.