Everything Wrong With SingHealth & The Authorities Cyberattack Response

Singapore may have well prepared its defence forces and citizens to deal with physical attacks. Unfortunately, when it comes to dealing the aftermatch of cyberattacks, it seems preparation for it was found to be lacking.

SingHealth, Singapore's largest group of healthcare institutions which takes cares of the four public hospitals, five national specialty centers and nine polyclinics across the island state, shared on Friday that data of 1.5 million patients were compromised, though limited to selected set of information of these patients. This information included name, NRIC number, birthdate and even the address of the patients. 

The way it responded to the cyberattacks was left wanting and organisations should take this opportunity to learn from this. 

1. Do Not Use Link Shorteners In Emergency SMS

The Bit.ly may have confused users in differentiating the real from fake SMS 

One of SingHealth's first responsibility was to send out SMS to affected patients. In the first set of SMS, it added a bit.ly link shortener.

I am not sure why SingHealth decided to use link shorteners in this scenario.  Link shorteners, like Bit.ly, is often used to shorten an extremely long link and/or to count the number of clicks.  It also helps to reduce the characters needed to key into the browser. The downside of it is that it hides behind the real URL and could lead the user to click on a malicious link. 

Furthermore, there was a fake sms that was send stating the cyberattacks resulted in financial data and medical records were compromised. The Bit.ly link may have caused many not to differentiate between the real from the fake SMS that was spreding. 

In an emergency notice like this, the bit.ly was really unnecessary. First of all, the message was send via SMS. With the high number of users on a 3G smartphone in Singapore, a click on the full link would open a browser and send them to the required website. 

The use of bit.ly also raises suspicions and this results in SingHealth requiring to explain what bit.ly is and how it is related to SingHealth. The SingHealth Facebook Page was daunted with such questions. 

No more bit.ly

As an afternote, SingHealth decided to use the full link to its website in its sms to remaining affected patients. 

2. Devaluing The Personal Data Stolen

The data stolen was as follows: 

• Name
• NRIC number (Unique ID number found in Singapore ID Card)
• Address
• Gender
• Race
• Date of birth

In the press conference announcing the news of the hack,  Singapore Cyber Security Agency Chief executive David Koh shared that the stolen information are “basic demographic data”.

Gov.sg wrote,

“We are watching to see if anything appears on the Internet both in the open and in some of the less well-known websites,” he added, noting that this has occasionally happened in past data breaches.

“But considering the type of data that’s been exfiltrated, it is – from our professional experience – unlikely that these will appear, because there is no strong commercial value to these types of data.”

Yet, in Nov 2017, Singapore's privacy watchdog the Personal Data Protection Commission (PDPC) in an interview with media highlighted the concerns of giving out the full IC Number.

Today wrote,

"The NRIC number is a unique identifier assigned by the Government to each Singapore resident that is often used as a required document or identifier for transactions with the Government, as well as certain commercial transactions," PDPC said.

"As the NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual, the indiscriminate collection and use of individuals’ NRIC numbers is of special concern as it increases the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud," it added.

While I understand the need to ease the fear and concerns who those have their data stolen, devaluing it by saying it has "no strong commercial value" creates the perception that the CSA has little or no worry about what was stolen.

While the NRIC number may not have any "commercial value", it can be used to obtain other information or be used, as PDC said "illegal activities".

Would the CSA chief be open to put his name, NIRC number, address, gender, race and date of the birth on the open web to show that such data has "no strong commercial value"?