SingHealth, PDPA, Smart Nation, sigh!


Looks like I am clear from the data breach at SingHealth. My Mom’s data, however, is not. This is the SMS received:

singhealth-sms-redacted

Yes, I’ve redacted her name, and yes, I use Signal as my SMS application as well as for secure communication.

While it is nice that SingHealth sent out the SMS, notice the bit.ly URL. Why would the words “cyber-attack” be in it? What were they thinking when they picked that one up as a means to inform? Would the people receiving it feel better or feel terrified? Would they NOT have been further alarmed, regardless of the subsequent words in the SMS text? The “bit.ly/cyber-attack18” is redirected to https://www.singhealth.com.sg/AboutSingHealth/CorporateOverview/Newsroom/NewsReleases/2018/Pages/cyberattack.aspx.

So, here are some common sense ways to send information:

a) In the text, say the following:

“$NAME, your name, IC, address, gender, race & birth of date were accessed but not altered. Mobile no. medical & financial info NOT accessed. No action needed. We apologise for anxiety caused. For queries, email check@singhealth.com.sg. Please also check: bit.ly/my-data.”

Notice that I’ve added clarity to the 2nd second sentence because I have no idea what “unaffected” means. Communications and simple language is what we need here.

b) Have a sample of what the SMS would look like at the SingHealth website so as to mitigate scam SMSes which I am told were sent around.

c) In that SingHealth page, it failed to link to the appropriate information from the Cyber Security Agency of Singapore and SingCert to help corroborate the information. Citation needed – just follow the simple Wikipedia rule of citing sources.

d) None of the social media sites should be used as the primary and authoritative source of information. Certainly, one can and should use all channels, but never leave out one’s primary site. I have seen this in many organizations who have abdicated their independence and rely on social media sites as the primary source for information and news about their outfits. Use the Internet well please. Decentralized is the Right Thing to do.

Personal Data Protection Act

Well, guess what? Singapore government and agencies are exempt from PDPA exposure. So, the 1.5 million people whose data got exfiltrated have no recourse and SingHealth (and their service provders) won’t be penalized under PDPA.

Update: 24 July 2018: From my post of this blog to LinkedIn, I am told that SingHealth is not a public agency exempt from PDPA.

It is quite disappointing to see how even the SingHealth site highlights “The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.”.

If I were to take the SingHealth site as having good intentions, they should have emphasized as follows:

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.  But, regardless, every person whose data was exfiltrated is a target, it might not be immediately evident to us.” or something like that. My Mom’s data is just as important as Hsien Loong’s.

Smart Nation

Kudos to Hsien Loong in saying that the Smart Nation project will continue (and if that link is behind a paywall) regardless of this incident, but we must be smart(er) in how we go about doing this project.

I spoke in 2015 at the GovWare event (slides) and it was about going beyond a secure smart nation. As of today, Sunday 22nd July 2018, we have no means to secure this country as it continues (even after a pause) in it’s efforts to become “smart”. Our lynch-pin is our power source. Slide 19 and 22 onwards discuss the energy dependence of these smart nation projects. And yet, we do not have any (yet) viable renewable energy source. Cyber security is very much tied into energy security which is the SPOF.

For our Smart Nation initiatives to be successful in the long term, three factors need to be in place:

  1. Secure by default
  2. Open standards based
  3. Open Source Reference Implementation.

As long as we have systems that run operating systems that are known to be broken and risky (see the 1st word in the 2nd line)

img_20180722_080402
1st word, 2nd line is all you need to know (from Sunday Times 22 Jul 2018)

I particularly like how the media keeps harping that this is a sophisticated attack and that this could only have been done by some state actor. I do find it rather weak.

Let’s look what I think there are multiple angles in this case:

  • The “Lee Hsien Loong” data interest is just that. Since he has a level of prominance, if someone is trying to get to data and sees his information, naturally, they’ll be thinking “hmm, did I get into a mother lode? let’s see what else I can find”. To me, that bit is a red herring.
  • I have to assume that the data sitting in the database was encrypted. I will have to give the benefit of the doubt. If I don’t, then there are even bigger questions.
  • Why are they still running insecure Windows systems? That in itself is a big clue as to why there is a problem and an on-going problem.
  • It appears that SingHealth was aware of a problem on 4th July. I have to assume that they activated their security people and raised the issue with CSA promptly. (Again, I am assuming good intent). It took 16 days for this to be made public on 20 July. Maybe they needed to verify, verify, verify, and I am prepared to give them some slack on it.
  • Are the exfiltrated data useful? Of course it is useful. Names, ages, NRIC numbers, addresses perhaps, and any other information is valuable to someone. I do not accept some statements by the authorities that “these are not commercially important”. Is data valuable only if it is commercially useful?

Screenshot from 2018-07-22 11-45-47 https://www.gov.sg/news/content/channel-newsasia—singhealth-cyberattack-what-you-need-to-know

 

So, there you have it. Day 2 since the revelation. And we are not out of the woods yet.

[Update based on feedback on twitter]

so, if you can’t log in via SingPass and you don’t have a Singapore mobile number, I guess you are out of luck.

Advertisements

3 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.