SINGAPORE – More than 4,000 individuals have had their personal information leaked after part of the Singapore Red Cross’ (SRC) website was hacked last Wednesday (May 8).
This is the latest of a string of data breach incidents affecting health-related organisations in Singapore.
The part of the SRC website affected was the section that recruits people interested in donating blood, it said in a statement on Thursday (May 16).
Through the website, members of the public can indicate their interest in making a blood donation. The SRC then manually makes the appointments on their behalf with the various blood banks and blood mobiles based on their preferred dates and times.
Information of 4,297 individuals who had registered their interest on the website was compromised. Their names, contact numbers, e-mail addresses, declared blood types, preferred appointment dates and times and preferred locations for blood donations were leaked.
The SRC has started to contact affected individuals, said its chief executive officer Benjamin William.
“We apologise to the users of our website whose information may have been affected by this incident,” he said.
No other information was affected and the SRC’s other databases were not compromised. The Health Sciences Authority’s (HSA) systems are also unaffected by the incident.
The SRC made a police report on the same day and police are investigating the incident.
The organisation has also reported the incident to the Personal Data Protection Commission and HSA.
Investigations to determine the nature of the unauthorised access are ongoing, but preliminary findings from the SRC’s investigations show that a weak administrator password could have left the website vulnerable to unauthorised access.
As a precaution, the website has been disconnected from Internet access, and replaced with a temporary webpage with links to relevant websites, said the SRC.
The website will be reinstated only when all security checks have been completed.
There were measures in place to guard against unauthorised access of the website, said the SRC.
External consultants have been engaged to conduct forensic investigations to determine the exact factors that allowed the unauthorised access.
Findings and measures to be taken will be reported to the SRC Council, and along with the advice from the SRC’s IT advisory panel and consultants, necessary action will be taken to strengthen the IT security measures, said the SRC statement.
Mr William said: “Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks.”
In March, the HSA said that the personal information of more than 800,000 people who have donated or registered to donate blood in Singapore since 1986 was improperly put online by a HSA vendor for more than two months.
It was initially thought that only a foreign cyber-security expert, who spotted the vulnerability in the server that stored the data, had accessed it.
The vendor, Secur Solutions Group, later said its server was also accessed suspiciously from several other IP addresses between October and March this year, and the data was accessed illegally and possibly stolen.
In January, the Ministry of Health (MOH) revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by Mikhy Farrera-Brochez, an American who had been living in Singapore.
Last year, in Singapore’s worst cyber attack, about 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018, had their personal particulars illegally accessed and copied.
The outpatient prescriptions of Prime Minister Lee Hsien Loong and a few ministers were among the stolen data.
This article was first published in The Straits Times. Permission required for reproduction.