No classified military information was lost in the recent malware incidents that affected the personal data of Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) personnel, said Defence Minister Ng Eng Hen.

Defence Minister Ng Eng Hen said in a written Parliamentary reply on Jan. 6 that while personal data was affected, the malware infections were confined to the systems of the respective vendors that reported them — ST Logistics and the HMI Institute of Health Sciences (HMI Institute).

Nevertheless, Ng said MINDEF takes a serious view of such cases, as it expects its vendors to safeguard all personal information entrusted to them.

The ministry reported the two separate malware infections that hit the two companies on Dec. 21, 2019.

ST Logistics incident

The affected ST Logistics’ system contained full names and NRIC numbers of the personnel, as well as a combination of their contact numbers, email addresses, and residential addresses.

Ng said MINDEF first discovered on Oct. 10 that ST Logistics emails contained malware.

ST Logistics blocked potentially affected outgoing data and emails as a precautionary measure, before the company's IT and external support teams performed investigations.

It was eventually established on Dec. 13 that the personal data of 2,400 personnel could have been leaked. These individuals were from Dec. 21, 2019 contacted and informed of this.

HMI Institute incident

HMI Institute's affected system contained the personal data of 120,000 individuals, including the full names and NRIC numbers of about 98,000 MINDEF and SAF personnel, as well as details of other HMI Institute customers.

HMI Institute discovered the infection on a backup server on Dec. 4, 2019, and alerted MINDEF to it on Dec. 9, 2019.

HMI then investigated and determined whose personal data were on the server with the help of a cybersecurity firm, Ng said.

Although the likelihood of a data leak to external parties was assessed to be "low", the 98,000 affected personnel were informed from Dec. 21, 2019 onwards.

Security measures

Ng said that prior to the incidents, MINDEF had already begun including personal data protection clauses in contracts it signs with external vendors, particularly those who handle personal data.

The ministry is also working with their current vendors, including ST Logistics and HMI Institute, to apply these clauses to all their existing contracts.

MINDEF's oversight of vendors will also be strengthened, Ng says, along with cyber and data security measures.

"Taking reference from the recommendations of the Public Sector Data Security Review Committee (PSDSRC), we will implement a framework to ensure that vendors protect our data well.

MINDEF will also implement a tiered cybersecurity framework to ensure that vendors handling more sensitive data are subject to more stringent cybersecurity standards, which may include regular audits."

Top image from Ong Ye Kung's Facebook page.