ronstik - stock.adobe.com

SingHealth and IT supplier fined S$1m for data breach

Singapore’s data protection commission considered the fact that both SingHealth and its IT supplier fell prey to sophisticated threat actors, among other factors, when meting out the fine

Singapore’s Personal Data Protection Commission (PDPC) has fined SingHealth and its IT supplier a total of S$1m (US$739,410) for failing to protect the personal data of 1.5 million patients that were stolen in the city-state’s largest data breach to date.

The PDPC said its investigations into the data breach arising from the unprecedented attack on SingHealth’s patient database system found that SingHealth's IT supplier, Integrated Health Information Systems (IHiS), had failed to take adequate security measures to protect the personal data in its possession.

As for SingHealth, the PDPC found that SingHealth employees handling security incidents were unfamiliar with incident response processes, and were overly dependent on IHiS. They also failed to take further steps to understand the significance of the information provided by IHiS after it was surfaced, it added.

PDPC has imposed a “financial penalty” of S$750,000 on IHiS and S$250,000 on SingHealth – the highest amounts imposed so far.

In a statement explaining the grounds of its decision, the PDPC noted that if organisations delegate work to suppliers, their role as data controllers requires them to be responsible for the personal data that they have collected from customers.

In meting out the fine, the PDPC said it took into account the fact that the data breach was the largest in Singapore so far, as well as the sensitive and confidential nature of the compromised data.

The PDPC said IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions.

It also recognised that both organisations were victims of a skilled and sophisticated threat actor bearing the characteristics of an advanced persistent threat (APT) group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.

Under Singapore’s Personal Data Protection Act, organisations are required to protect the personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Those that fail to do so could face a financial penalty of up to S$1m.

Defence-in-depth

In the aftermath of the SingHealth data breach, Singapore’s minister in charge of cyber security S. Iswaran said in Parliament on 15 January 2019 that the government will ensure its IT and database systems are secure, and that the personal data it collects is well-protected.

This includes adopting a ‘defence-in-depth’ strategy, with multiple layers of cyber defences to impede an attacker. Iswaran said these layers of defence “cascade from the perimeter to within our systems, as we recognise that a sophisticated and determined attacker, given enough time and resources, may find a way through”.

“This is why we also have capabilities in our layered defence that enable swift detection of a breach, and decisive response,” he added.

Read more about cyber security in ASEAN

  • Healthcare workers who require internet access will have to use separate internet workstations following an unprecedented attack on Singapore’s public healthcare system.
  • Grab, a Southeast Asian ride-hailing company, prefers detective controls rather than preventive ones to deter cyber threats – an approach it claims is less intrusive and costly to implement.
  • Cyber resilience remains low across Southeast Asia, a regional economic powerhouse that is increasingly susceptible to cyber threats as its digital economy grows.
  • A joint steering committee will meet twice a year to address cyber security issues, among other measures to shore up Malaysia’s cyber security capabilities.

Read more on Regulatory compliance and standard requirements