Minister for Defence Dr Ng Eng Hen responded today (Jan 6 2020) to questions posed in Parliament on Malware Incidents which occurred in October and December 2019.
The questions focused on the data leak which occurred at ST Logistics and the ransomware attack on HMI Institute of Health Sciences to confidential operations of MINDEF and SAF.
He was asked about the personal data leak affecting 2,400 MINDEF and SAF personnel. When did ST Logistics first discover the phishing attack and when did MINDEF come to know about the leak? And what was the follow-up action plan in place following the two incidents?
Ministry Of Defence deals with two malware incidents towards the end of 2019
Dr Ng Eng Hen said that on 10 October 2019, MINDEF discovered that emails received from ST Logistics contained malware, and alerted their management, whereupon ST Logistics as a first precautionary move blocked outgoing data and emails possibly affected by the malware.
The company’s IT team and external support teams then carried out forensic investigations to provide MINDEF with the affected data for an impact assessment. It was established on 13 December 2019 that personal data of 2,400 MINDEF/SAF personnel could have been leaked. The affected personnel were notified from 21 December 2019.
He continued that in the second incident, HMI Institute discovered a malware infection in one backup server on 4 December 2019, and alerted MINDEF on 9 December 2019. With the help of a cybersecurity firm, HMI investigated the infection and ascertained the individuals from MINDEF/SAF and other organisations whose personal data were on the affected backup server. Although the likelihood of data leak to external parties was assessed to be low, the 98,000 MINDEF/SAF personnel were informed from 21 December 2019.
Both incidents were confined to the systems of the vendors, and did not affect MINDEF’s own systems or result in the loss of classified military information, said Dr Ng Eng Hen.
He added that “MINDEF takes a serious view of these cases. We expect our vendors to protect all personal data that has been entrusted to them.Prior to these incidents, MINDEF had begun including personal data protection clauses in all new contracts involving personal data. We had also been working with vendors, including HMI Institute and ST Logistics, to progressively apply such clauses to existing contracts.”
Next steps to prevent further data breaches in the future
The Minister said the government will further strengthen oversight of its vendors. And that the Ministry will be taking reference from the recommendations of the Public Sector Data Security Review Committee (PSDSRC) so that they will implement a framework to ensure that vendors protect Ministry of Defence data well.
“MINDEF will also implement a tiered cybersecurity framework to ensure that vendors handling more sensitive data are subject to more stringent cybersecurity standards, which may include regular audits.” said the Minister of Defence in his response.
He added that as the risks will continue to evolve, they will continually monitor developments and enhance cyber and data security measures.