Data Breach on SingHealth

Do Singaporeans actually care if our personal data gets stolen online?

Kyle Huang Junyuan Personal Leave a Comment

TL;DR – You should care.

The recent massive data breach on SingHealth affected 1.5 million Singaporeans in the largest ever cyber attack to ever occur here with 160,000 of those having their outpatient dispensed medicines’ records taken. The stolen data included name, NRIC number, address, gender, race and date of birth (Source: Ministry of Health).

Fortunately, my data was not stolen in this breach. But I urge readers (especially victims) to give some considerable thought into this post. What has happened here should not be taken lightly.

How does this affect me?

“If I got nothing to hide, why be afraid?”
“It’s just basic details that were stolen, what’s so serious?”

These are the most common arguments I hear from Singaporeans. Why be afraid of people knowing your personal details if you have done nothing wrong and who could possibly want my data? My answer to them – PLENTY and people are willing to pay for these data, especially on the dark web.

A simple question I would ask a sceptical reader: Would you randomly give a stranger your NRIC and your home address? If your answer was no, what makes this data breach different? How far would people with bad intentions go to ruin your lives if they start off by knowing where you live? If these people had your NRIC number, could they very well impersonate you?

Here is a simple example I can provide which just occurred to me a few days ago: I was calling up the bank and before you get to make any requests, the operator has to do a simple verification of your identity. This includes your full name, home address, etc. With the recent cyber attack gaining access to all your personal information, it would be very easy for hackers to do some pretty nasty things.

Update, 25 July 2018: The Monetary Authority of Singapore (MAS) has instructed all financial institutions not to rely solely on the types of information that were stolen (Source: TODAYonline)

Resolution

I have to applaud the subsequent moves by the Government in which SMSes were sent to all patients regardless of whether they were affected by this data breach to keep them informed.

However, the content of the message included “no action required” which really struck me. Why provide that false assurance that nothing needs to be done? A friend of mine recently blogged about this case as well and highlighted that companies who faced similar data breaches in the US even offered free identity theft protection and credit monitoring services for two years, and had to settle several class-action lawsuits at a cost of US$115 million (Source: ZitSeng.com). At least they were attempting to resolve the potential problems that their customers could face in the future after having their data stolen.

An attempt to downplay?

I was just scrolling through Facebook today and came across articles on how the Government was indeed “very noble” and “quick” to report the incident within 8 days upon spotting the suspicious activities.

And… cue the “experts” that come in and give their advice in a rather predictable way – the typical reporting style in Singapore in the hopes that we can be assured that this incident wasn’t so bad after all. In actual fact, once stolen, your data is effectively leaked forever.


Yes, we live in a digital age and cyber attacks would virtually be impossible to prevent. But I really hope that we start taking identity theft more seriously and think of an actual solution when these problems actually happen. Let’s go to the facts and not downplay any more incidents like these in the future.

Check now

Head over to https://datacheck.singhealth.com.sg to check if your account has been affected.