If you think the Singapore government was less than upfront in disclosing the Singhealth security breach, well some security experts may disagree with you.
“CSA and the Singapore Government have done a good job detecting (the cyberattack) in a timely manner and publicly disclosed the incident – which is a very noble thing to do,” Mr Eric Hoh told Channel NewsAsia (CNA) He said that the tendency was for victims to “sweep the matter under the rug”.
Mr Hoh is the president of Fireye Asia Pacific, a network security company.
CNA also quoted other security specialists who agreed with Mr Hoh.
Sanjay Aurora, managing director of Darktrace Asia Pacific said “for SingHealth to have detected, investigated and reported the incident within a month is a “comparative success”.”
“How many other countries around the world are capable of even detecting this attack within a month, let alone be able to conduct a full investigation in this short time period?” he said.
Another person CNA spoke to was Jeff Hurmuses, managing director of Asia Pacific at US-based cybersecurity firm Malwarebytes. He said the authorities have acted “promptly” to plug the breach.
“They actually responded to the breach and disclosed it to potentially affected users very quickly,” he said.
The data theft occurred on 4 July, confirmed by the authorities on 10 July, and was only made public on 22 July. Contrary to what the above experts have said, members of the public have questioned why the government took more than 2 weeks to inform the public from the day of the breach itself.
Lawyer Rajesh Sreenivasan, for example, said it was “near impossible”, without details of the breach, to ascertain if the authorities’ response was timely.
Mr Rajesh is the head of Technology, Media and Telecommunications at law firm Rajah & Tann.
“The reality is that (the) breach notification could be done in stages,” he said, adding that “the cyberattacks could be part of a larger series of attacks, and notifying the public too early could compromise investigations.”
Singapore’s Cybersecurity Act requires any such information leaks to be reported to the cybersecurity commissioner. However, in this case, the administrators of Integrated Health Information System (IHIS) are not required to do so because the law is not yet in force.
Nonetheless, CNA reported:
“Mr Bryan Tan, partner at Pinsent Masons, who said the Cybersecurity Act is not yet implemented and the notification timeline has yet to be set out when the SingHealth hack took place.
“He did point out that, on a general level, it is a “fair question” why the regulators and affected persons were not informed of the data breach quicker. He also questioned why the Personal Data Protection Commission (PDPC), which has been investigating data breaches here, does not appear to be involved in this particular case.”
The massive data leak involved the personal records of 1.5m patients, including that of Prime Minister Lee Hsien Loong and Emeritus Senior Minister Goh Chok Tong.
The chief of the Cyber Security Agency of Singapore (CSA), David Koh, said that the stolen data has “no strong commercial value“, when asked earlier if the public should be worried that their personal information was stolen.