Big news hit Singapore on Friday (July 20) -- 1.5 million Singaporeans had their non-medical data, names, IC numbers, addresses, gender, race and dates of birth, illegally accessed and stolen.

160,000 patients had their outpatient dispensed medicines stolen in the attack, with Prime Minister Lee Hsien Loong among the affected.

The culprits

The authorities called the attack "deliberate, targeted and well-planned" one, and specifically repeated that it was not the work of casual hackers or criminal gangs.

When quizzed by the media on who the culprit was/were, the authorities said they knew who was responsible but would not reveal the country of origin due to "operational security reasons."

With the authorities saying that those responsible are not casual hackers or criminal gangs, and that PM Lee's records were specifically and repeatedly targeted, it suggests a higher likelihood that the responsible party is another government.

In fact, security experts opined that state-sponsored attackers typically focus on only one or a few targeted individuals, unlike criminals, who would be primarily concerned about gathering data about as many people as possible.

So what can another government do with the medical records of the people of another country?

Let's see.

The intended targets

Within minutes of the breaking news by the media, PM Lee announced publicly that the attackers would be disappointed with what they found of his records.

In other words, it seems that the effort to find some leverage over him is wasted.

However, it is currently unknown if the 160,000 stolen records of outpatient dispensed medicines include those of other ministers, senior politicians (like Emeritus Senior Minister Goh Chok Tong), senior public servants, and their family members.

They could be targets as well.

Fortunately, the Integrated Health Information System (IHiS)’s database administrators acted immediately to halt the unusual activity on one of SingHealth’s IT databases, to prevent more sensitive information from being lost.

While the 1.5 million sets of non-medical data could present opportunities for state actors, it's likely you, the average Singaporean, will not be affected by this particular attack.

Making sense of the 1.5 million

Addresses can inform the attackers of the likely socio-economic status of patients and the dates of birth can give them a snapshot of the health of the nation.

All this information can then be exploited.

A more direct use of the data would be to cross-check the addresses of key individuals -- ministers, senior politicians, senior public servants -- with other entries within the 1.5 million to figure out who lives with these key individuals. Once you figure out who the family members of key individuals are -- people who usually stay out of the spotlight -- you have more avenues to find leverage.

Once you have leverage, you move on to the next steps.

Using information to persuade, induce, coerce

The fortunate thing is that the state-sponsored hackers in this cyberattack did not obtain patient records, such as diagnosis, test results or doctors’ notes.

In fact, the only slightly sensitive data they obtained was the information on the outpatient dispensed medicines for 160,000 patients.

However, one must be ready and vigilant that things could be worse in future.

What if the state-sponsored hackers obtain the patient records the next time?

The following may be what they could well undertake.

Persuasion

Persuasion happens all the time when diplomats meet with their foreign counterparts. It happens in the media as well. It's more of nudging people in the desired direction.

Now suppose I am a foreign diplomat who has information that a senior public servant I am in contact with has a chronic illness -- something innocuous like chronic migraine -- I can use that information to empathise and build rapport as a caring friend.

Perhaps one day, this public servant will come to empathise or sympathise with me and my country. He can then help me open some doors to the right people, tell them that I can be trusted. Perhaps he may even help nudge policy in a way that favours my country.

Coercion

Coercion is easy enough to understand. As long as embarrassing medical information can be found, and the target is likely to be embarrassed by the information being made known, it presents a chance for coercion.

A politician with depression? A public servant with erectile dysfunction?

All possible targets. But whether they will respond favourably to coercion is a gamble.

Inducement

Therefore, if I were a state actor, inducement is probably the tool I will use in conjunction with the medical information I gained.

Let's say I have known the medicines dispensed to this public servant -- perhaps cancer medication -- which I know to be expensive. It provides me with an avenue to offer some financial assistance to this public servant in exchange for favours. This is why public servants have to declare whether they are financially embarrassed every year to make sure they are not susceptible to this sort of inducement.

It gets easier if I know whether a public servant has a sick family member, they are easier to induce when they are emotionally vested to help their loved ones.

Singapore's response

Certain online commentaries focused on how the attack was meant to embarrass the Government for allowing the hack to happen and to undermine confidence in our institutions and that Singaporeans should close ranks and be pro-Singapore.

That narrative would have worked if only the attackers announced the successful attack themselves. Instead, it was the Government who made the announcement.

Embarrassment, at least via the hack itself, was probably not the goal.

Finding ways to influence key individuals could well be the real goal.

[related_story]

In fact, the Government coming out to own the problem has in a way contributed to the "embarrassment" themselves. But I believe the reason they announced the attack was to let our attackers know that Singapore was on to their game.

The announcement shined a light on the attack and the subsequent influence operations that would take place after.

PM Lee took the lead to call the attackers out for the game they were playing by using himself as the prime example.

Let's hope that other potential targets -- be it a politician or even a mid-level public servant -- can recognise that they may be subjected to foreign influence and be inoculated against it.