Confidential details of 4,300 potential blood donors leaked in Singapore Red Cross website hack

The details that were exposed included the names, contact numbers, e-mail addresses, declared blood types, preferred appointment dates and times and preferred locations for blood donations

AFP

The personal information of nearly 4,300 blood donors have been leaked after the Singapore Red Cross’ (SRC) website was hacked on Wednesday (8 May). In a statement released today, the SRC reported that the webpages recruiting prospective blood donors were compromised in the hack.

The compromised webpages allows members of the public to register their interest in donating blood. SRC uses the information individuals input into its system to arrange appointments with blood banks and blood mobiles, on the individuals’ behalf.

The confidential details – such as names, contact numbers, e-mail addresses, declared blood types, preferred appointment dates and times and preferred locations for blood donations – of 4,297 individuals who expressed interest in blood donations on SRC’s website were leaked.

SRC said that its other databases and the systems managed by the Health Sciences Authority (HSA) were not affected in the cybersecurity breach. The SRC has reported the incident to the police and the Personal Data Protection Commission.

Investigations are ongoing and preliminary findings from SRC’s internal probe reportedly show that a weak administrator password could have exposed the website to unauthorised access, despite measures that were in place to guard the website from security breaches.

The website has since been disconnected from the Internet and will only be reinstated when security checks conclude. Besides the ongoing police investigation, external consultants have also been engaged to conduct forensic investigations into the incident.

Apologising to the victims of the breach, SRC’s chief executive officer Benjamin William said that the organisation has begun contacting affected individuals. He said: “We apologise to the users of our website whose information may have been affected by this incident.”

Mr William added: “Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks.”

The findings and recommendations of the external consultants will be taken to the SRC Council which will take necessary action to strengthen SRC’s IT security measures, with the advice of its own IT advisory panel and consultants.

The SRC hack and data leak is the latest cybersecurity breach affecting local health-related organisations.

This March, the HSA reported that the confidential details of over 800,000 individuals who had donated or registered to donate blood since 1986 was leaked online by a HSA vendor for over two months. The vendor later claimed that the data was possibly stolen since it was accessed illegally.

Two months before that, the Ministry of Health (MOH) revealed that the confidential details of 14,200 HIV-positive individuals had been leaked online.

Singapore’s worst cyber attack occurred last year when the confidential particulars, medical records and prescriptions of 1.5 million patients, including Prime Minister Lee Hsien Loong and Emeritus Senior Minister Goh Chok Tong, were stolen.