The information of 4,297 potential donors were compromised on May 8 when the Singapore Red Cross's (SRC) website experienced unauthorised access.

Personal details leaked

A statement by the SRC on May 16 reported that the affected part of the website was a section dedicated to recruiting potential blood donors.

Information that was compromised included:

• Name
• Contact number
• Email
• Declared blood type
• Preferred appointment date and time
• Preferred location of donation

The SRC normally uses this information to set up appointments for potential donors at various blood banks and blood mobiles.

The SRC is currently contacting affected individuals.

"Weak administrator password" could be the cause

According to the statement, no other information was affected and the SRC's other databases have not been compromised.

The Health Sciences Authority's (HSA) systems were similarly unaffected by the breach.

The SRC said that they made a police report on the same day after being alerted by their web developer.

Investigations are on-going.

The incident was also reported to the Personal Data Protection Commission and HSA.

The SRC has also engaged external consultants to conduct forensic investigations to determine the factors that allowed the unauthorised access to happen.

Preliminary findings indicate a "weak administrator password" could have led to the unauthorised access.

In the meantime, the SRC website has been disconnected from the internet and replaced with a temporary webpage with links to relevant websites.

Here's the full statement by the Singapore Red Cross:

1. The Singapore Red Cross (SRC) was alerted by our web developer on 8 May that there was an unauthorised access to part of our website (www.redcross.sg) that supports SRC’s work in recruiting people interested in donating blood.

2. Through the website, members of the public can indicate their interest to make a blood donation. SRC then manually makes the appointments on their behalf with the various blood banks and blood mobiles based on their preferred dates and times.

3. The following information of 4,297 individuals who had registered their interest on the website was compromised - name, contact number, email, declared blood type, preferred appointment date/ time and preferred location for blood donations. No other information was affected. SRC’s other databases have not been compromised. The Health Sciences Authority’s (HSA) systems are similarly unaffected by this incident.

4. Upon being alerted, SRC made a Police report on the same day (8 May). Police investigations are ongoing. We have also reported the incident to the Personal Data Protection Commission and HSA.

5. There were measures in place to guard against unauthorised access of the website. While our investigations to determine the nature of the unauthorised access are ongoing, our preliminary findings show that a weak administrator password could have left the website vulnerable to the unauthorised access. As a precaution, we have disconnected the website from internet access, and replaced it with a temporary webpage with links to relevant websites. The website will only be reinstated when all security checks have been completed.

6. SRC takes this incident seriously. External consultants have been engaged to conduct forensic investigations to determine the exact factors that allowed the unauthorised access to the website. The findings and measures to be taken will be reported to the SRC Council (Board) and together with the advice of our IT advisory panel and consultants, we will take necessary action to strengthen our IT security measures.

7. SRC’s Secretary General/CEO Mr Benjamin William said, “Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks. SRC has started to contact affected individuals. We apologise to the users of our website whose information may have been affected by this incident.”

Top image via Red Cross Singapore Facebook and Ambrosells on Wikipedia