Data leak: Several blood donor's information that was mishandled, now accessed illegally and possibly extracted

blood donation
Blood donor Pixabay

The vendor of Singapore's Health Sciences Authority (HSA), Secur Solutions Group (SSG) was accused of mishandling the data of more than 800000 blood donors in 2019. On Saturday the same group said that the information, including names and NRIC numbers, went online was accessed illegally and probably extracted.

Personal Data Protection Commission (PDPC) informed HSA after they were alerted to the database vulnerability on March 13. Then the HSA contacted the SSF to remove the unsecured database from the Internet and then secured the information.

Initial investigations conducted by HAS claimed that other than the cyber experts, who identified the vulnerability, no other unauthorised person had accessed the online data.

In a statement, SSG said that the "Subsequent forensic analysis has now shown that between October 22, 2018, and March 13, 2019, the server was also accessed suspiciously from several other IP addresses," and based on this new information, the HAS vendor "cannot exclude the possibility that registration-related information of donors on the server was exfiltrated. The database referred to above contains no other sensitive, medical or contact information."

"There had been earlier attacks on the same server that had occurred in 2017. These attacks are unrelated to the current incident, and there is no evidence to suggest that they compromised any HSA data.

"SSG is continuing its investigations into the matter and is cooperating fully with the police and HSA. SSG sincerely apologises to all affected blood donors."

However, HSA clarified that it will decide what steps they should take only after the conclusion of police and SSG investigation. They also added that as of now the investigation suggested that "there was more access to the data that had been initially assessed by SSG. However, HSA's centralised blood bank system, which is not connected to the SSG server, remains secure.

"HSA takes a serious view of this matter. SSG is in breach of its contractual obligations. Police investigations are continuing. HSA will decide on what steps it should take vis-à-vis SSG, once the investigations are concluded."

After conducting the initial investigation by HSA, the results showed that the centralised blood bank systems were not affected. However, the agency filed a police complaint.

Later, the HSA CEO Mimi Choong apologised to the blood donors on behalf of the SSG and said "We would like to assure donors that HSA's centralised blood bank system is not affected.

"HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information."

The cyber-attack cases have become very frequent in Singapore. Even a Russia based group Group-IB, which develops software and hardware for the proactive cyber defence recently found that user logins and passwords from Singapore government agencies and educational institutions on the dark web over the course of 2017 and 2018.

The company also analysed the cybercrime activity in Southeast Asia and described the region as "one of the most actively attacked regions in the world."

This article was first published on March 30, 2019