In the midst of public concerns about the data security breach at Singhealth, it came as a shock to hear the remarks of the chief of the Cyber Security Agency of Singapore (CSA).
When asked by the media if the public should be worried about their personal information being stolen by what are possibly state-sponsored hackers, Chief Executive of CSA, David Koh, said the answer was no.
This, he explained, was because the stolen information are “basic demographic data”.
He said it didn’t appear the stolen property was being sold on the Internet, especially in what is called the “dark web.”
“We are watching to see if anything appears on the Internet both in the open and in some of the less well-known websites,” he added.
“But considering the type of data that’s been exfiltrated, it is – from our professional experience – unlikely that these will appear, because there is no strong commercial value to these types of data.”
The Singhealth breach involved the theft of the names, addresses, birth dates, genders and NRIC information of 1.5m patients.
Mr Koh’s remarks are also published on the website of the Ministry of Communication and Information (MCI), under the title: “Singhealth cyberattack: what you need to know”.
Mr Koh’s views, however, are being criticised online by several parties, and are disputed by the views of security experts which the press have spoken to.
Blogger zitseng, for example, said, “I can see how much of a treasure trove this 1.5 million records will be to telemarketers. The 160K dispensed medication records also provide more information, including embarrassing medical conditions or long-term ailments the individuals may have.”
“This is not basic demographic data at all. Can Mr Koh give me his full name, NRIC, address, and date of birth, since they are just basic demographic data?” he asked.
Another blogger, atans, highlighted that theft of personal information was a means for others to use to commit crimes, and which the police have been warning the public about, especially when it comes to online scams.
Indeed, banks like UOB also warn of identity theft and scams involving stolen identity.
“NRIC numbers were stolen as were names and addresses,” atans said about the Singhealth breach. “Before this loss of info, we had been told by the PAP govt and private sector cyber security experts that the NRIC number is very important personal data and that when a criminal has access to our i/c number, address and name, lialat: could be vulnerable to all kinds of online crime. So this not true isit?”
Here is a story By Her World in 2011 of identity theft and how it affected one person.
And if personal information was not mere “basic demographic data”, contrary to Mr Koh’s claim, what then personal medical records?
In fact, experts are of the view that medical records “has increasingly become more valuable than financial data in recent years,” the TODAY newspaper reported.
Pharmaceutical companies could use such information, said Mr Ali Fazeli, director of security consultancy and advisory at cyber-security firm Infinity Risk Control.
“Companies can use it as a marketing material, to research and identify for example, what kind of illnesses and sickness is common in Singapore. If you’re a pharmaceutical company… you’ll know what to sell, and who to sell them to,” he said.
RSA chief cyber security advisor for Asia Pacific and Japan, Leonard Kleinman agreed.
“On the Dark Web, such data can fetch a high price,” he said. “Each entry can be sold for fifty to a hundred dollars higher than stolen credit card data.”
“Medical data contains a trove of information – from personally identifiable data to financial details – that can be used to create a highly sought-after composite of an individual,” he said
According to Mr Olli Jarva, managing consultant of software development firm Synopsys, healthcare data is the “item that everybody is after”.
“The healthcare data breach outlines a new reality,” he explained. “Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it.”
Given all the above views and evidence from security experts, the police, banks and others, one wonders how a chief of cyber security could claim that the personal data of more than a million patients is of “no strong commercial value.”
In any case, whether the data has any commercial value at all is besides the point, isn’t it? The point here is that a massive breach of security and theft of 1.5m patients’ personal information has occurred.
And no matter how you want to spin it, the public should indeed be worried and concerned.
Mr Koh is concurrently the Deputy Secretary (Technology) and Deputy Secretary (Special Projects) of the Ministry of Defence (MINDEF), besides being the Chief Executive the CSA.
As the Chief Executive of CSA, he fronts the agency’s oversight efforts of national cyber security functions.