Singapore—The country’s Ministry of Defence (MINDEF) announced in a news release on Saturday, December 21, that it is aware that two of its vendors have suffered a malware incident which could have caused a leak of the personal data of 2,400 of SAF and MINDEF personnel.
The two vendors affected are HMI Institute of Health Sciences Pte Ltd (HMI Institute) and ST Logistics Pte Ltd (ST Logistics). The data leak, which happened through e-mail phishing via malicious malware, occurred at ST Logistics, a privately owned company that provides SAF and MINDEF third-party logistics services including equipping services and eMart retail.
HMI Institute, on the other hand, has been holding training in cardiopulmonary resuscitation and automated external defibrillator for MINDEF/SAF personnel from 2016. Both companies are in possession of necessary personal data of MINDEF/SAF personnel.
The impact of the data breach is now being investigated by MINDEF and SAF together with HMI Institute and ST Logistics.
HMI Institute’s system affected by the breach involves the personal data of 120,000 personnel, including the full names and NRIC numbers of about 98,000 MINDEF/SAF personnel. Additionally, the full names, NRIC numbers, contact numbers, email addresses, dates of birth and residential addresses of other HMI Institute customers have also been compromised.
The news release added that initial investigations into the malware incidents show that the possibility of “data leak to external parties is low.”
Under the Personal Data Protection Act (PDPA), it is required for firms to protect the personal data of its clients.
The malware incidents have been reported by HMI Institute and ST Logistics to the Personal Data Protection Commission (PDPC), which is now conducting investigations, as well as the Singapore Computer Emergency Response Team (SingCERT).
The news release also says that MINDEF and SAF are taking a serious view on the secure handling of personal data by their vendors, and have contacted other vendors who hold personal data to strengthen their own IT systems.
From December 21 and onward, MINDEF and SAF have been contacting the personnel who have been affected by the data breach.
“The malware incidents affected the IT systems of our vendors. Although MINDEF/SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data. We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information.” Defence Cyber Chief Brigadier-General Mark Tan said, in response to the malware incidents.
On Facebook, MINDEF announced,
“We are aware of the malware incidents at two of our external vendors, HMI Institute of Health Sciences (HMI Institute) and ST Logistics, involving a compromise of personal data. We are working closely with ST Logistics and HMI Institute to investigate the incidents, and they are reviewing and tightening their IT security measures.
If you are one of the affected individuals, you will be receiving an SMS message from MINDEF. Here’s how you can verify if the SMS you received is legitimate.
For further queries, please contact:
HMI Institute: 6564 6152 or email@example.com
ST Logistics: firstname.lastname@example.org”
We are aware of the malware incidents at two of our external vendors, HMI Institute of Health Sciences (HMI Institute)…