Personal data of MINDEF & SAF personnel could've been leaked after data breach from 2 vendors

MINDEF and the SAF are working with the two vendors to investigate the incidents.

Syahindah Ishak | December 21, 2019, 06:59 PM

Two separate malware incidents involving HMI Institute of Health Sciences (HMI Institute) and ST Logistics have affected the personal data of Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) personnel.

Details of the malware incidents

In a news statement released on Dec. 21, MINDEF said that the ST Logistics incident could have potentially leaked the personal data of 2,400 MINDEF and SAF personnel.

ST Logistics' affected systems contained full names and NRIC numbers of the personnel, as well as a combination of their contact numbers, email addresses, and residential addresses.

For the HMI Institute incident, their affected system contained personal data of 120,000 individuals, including the full names and NRIC numbers of about 98,000 MINDEF and SAF personnel as well as the details of other HMI Institute customers.

Preliminary investigations indicated that the likelihood of a data leak to external parties is low for HMI Institute's case.

Both vendors were provided with personal data of MINDEF and SAF for the provision of their operations.

ST Logistics is contracted to provide logistics services such as eMart retail and equipping services since 1999.

Meanwhile, healthcare training provider HMI Institute is contracted by SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training for MINDEF and SAF personnel since 2016.

Affected Mindef and SAF personnel receiving text messages

Affected Mindef and SAF personnel are being notified of the personal data breach.

Readers have contacted Mothership.sg to share the text messages informing them about the breach.

MINDEF has also shared publicly on Facebook on how the affected personnel can verify whether the SMS is legitimate.

Investigations are ongoing

MINDEF and the SAF are working with the two vendors to investigate the impact of the malware incidents and the potential disclosure of personal data.

Affected MINDEF and SAF personnel are being notified from Dec. 21 onwards.

In response to the malware incidents, Defence Cyber Chief Brigadier-General Mark Tan said:

“The malware incidents affected the IT systems of our vendors.

Although MINDEF and SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data.

We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information.”

Response from ST Logistics

According to CNA, the potential breach in ST Logistics' system was due to malicious malware being sent to its employees’ email accounts.

ST Logistics has since carried out extensive forensic investigations into the email phishing activities.

It has also informed the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT) of the incident on Dec 16.

ST Logistics chief executive officer Loganathan Ramasamy said via CNA:

“We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected.”

Response from HMI Institute

In a news release from HMI Institute on Dec. 21, the institute said that it has engaged a cybersecurity firm to conduct investigations.

The findings show that the incident was a random and opportunistic attack on the file server.

HMI Institute’s main student registry remains intact and unaffected.

This incident has also been reported to the PDPC and SingCert.

HMI Institute is currently completing the implementation of additional IT security enhancement initiatives.

Executive Director of HMI Institute of Health Sciences, Tee Soo Kong, said:

“We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused.

Preserving their privacy and keeping their personal data safe are our highest priority.

While we have been informing those affected directly, we are making this announcement as a precautionary measure so that all our students and applicants would be aware and more vigilant.

We have also put in place additional measures to fortify our systems against increasingly sophisticated cyber intrusions.”

Top photos via Singapore Army Facebook.