Systems managers and CEO are dismissed and sued after massive health data breach

Two officials were dismissed and a general manager was fined for massive data theft on the health system in Singapore

The Integrated Health Information Systems of
Singapore (IHIS) fired two managers, in addition to fine five high-level
employees, including Bruce Liang, CEO of the company, for their responsibility
in the SingHealth
system massive data breach the last year, as reported by network security
specialists from the International Institute of Cyber Security.

It is estimated that the incident affected
about 1.5 million people, nearly one-third of the total population in
Singapore. According to specialists in network
security
, the attackers accessed to personal details such as:

  • Patients’
    full names
  • Dates
    of birth
  • NRIC
    (National Registration Identity Card) personal identification numbers
  • Ethnic
    and racial details

In addition, details concerning the health of
over 150k patients (such as diagnoses or treatments) were also stolen; the
people affected by this incident include Lee Hsien Loong, Prime Minister of
Singapore.

The Singapore Ministries of Health and Communications
defined this incident as “a deliberate, well-defined and planned cyberattack
campaign”, although subsequent investigations by network security experts confirmed
that a human error was fundamental for this incident to materialize: “while
SingHealth implements the necessary technical controls, two high-level
employees turned out to be negligent in their work”.

The researchers criticized the poor server
configuration of Lum Yuan Woh, the leader of the Citrix team, as they
considered that “unnecessary risks were introduced to the system”. On the other
hand, Ernest Tan, SingHealth Incident Response Team Manager, was criticized for
“ignoring the due process of security incident notification”.

Another five senior employees were also
reported as responsible for data theft, but their mistakes were not considered
serious enough to warrant dismissal. Four of these employees were fined, while
the remaining employee was transferred to a position with lower
responsibilities.

According to the experts, SingHealth employees
committed three fundamental errors:

  • They
    were unable to install software patches on their systems, allowing attackers to
    exploit an Office vulnerability and gain access to one of the employees’ PC
  • The
    SingHealth team took at least a year to identify the data breach. Hackers
    accessed the system for the first time in August 2017 and, over a year, managed
    to distribute malware and infect other computers on the network without being
    detected
  • Employees
    used weak passwords ([email protected], for example). This is one of the
    most serious errors that a sysadmin can commit, because the simple
    configuration of a strong password can prevent multiple attacks

Unfortunately these problems are not unique to
the SingHealth team; human errors are one of the main causes of data breaches,
and all organizations must adopt the relevant policies to mitigate the risks
arising from these flaws.

You may also like...