SingHealth data breach and a call for action
Updated: Jun 30, 2019
During the SingHealth cyber attack, attackers exfiltrated patient's personal information such as name, IC, address, gender, race & birthdate. The detailed impact of this incident to SingHealth patients is detailed in an article here. This article evaluates the impact that other businesses and patients will have in the wake of this cyber-attack.
Impact to businesses
Most of the businesses use one or more of this information to authenticate their customers in order to provide online services. Typically, a combination of IC and birthdate is used. Sometimes the address is also used along with above information. Given the fact that this information is now known to others, these parameters are no longer should be used for caller authentication. Organizations (business and government agencies alike) should take extreme caution in updating personal particulars (especially residential address) of their users based on an authentication scheme that uses leaked information. Authentication procedures must be updated immediately to include additional facts and information that are transient in nature. A latest transaction detail and last portal login date time are good examples of transient information. Businesses should not give out additional information related to user's transient data (transaction details) based on an authentication scheme that relies on the leaked set of information.
Impact to Individuals
Should it have been a password that was compromised, you could easily change it (assuming the account is not taken over yet) or increase the level of controls by adding a second factor authentication to make logins more secure. Due to the nature of the information that was exfiltrated, it can't be changed or reset. The information is pretty much static. You must watch out to see if you are still receiving all the communications from various organizations (telecom companies, government organizations, credit card companies, etc.) as usual. Keep note of any changes in the communications received or the lack thereof. A lack of communication could be an indication of compromise.
Call for action
Security procedures needs to be enhanced across all organizations (not just by SingHealth) that uses the leaked information for caller authentication. Systems and processes that offers a combination of static and transient set of information may be used to ensure stronger authentication online.
Financial Industry Response
Monetary Authority of Singapore (MAS) has an issued a mandate for the Singapore based Financial Institutions to tighten their verification process in the wake of SingHealth incident. Read on...
Check if you are affected
SingHealth cyber attack: How to check if you are affected, and what you need to know...
A well planned activity
Method of attack showed high level of sophistication