It’s not a good weekend for Mindef’s PR team.
After a statement yesterday about an NSF’s injury in Taiwan, Mindef has released yet another statement, and this time it could involve you and me.
ST Logistics, a contractor that provides logistic services such as the eMart system and equipping services for SAF, suffered a data breach. The personal data of 2,400 Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) personnel has therefore been potentially leaked.
The data includes names, NRIC numbers, home addresses or telephone numbers.
People whose data have been compromised will be notified.
But how did it happen?
Apparently, it’s due to email phishing activities involving malicious malware sent to its employees’ email accounts. In other words, it’s preventable if the employees had been more careful not to anyhowly click on any links.
ST Logistics CEO said, “We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected.”
And, by the way, since this is a data breach and it involves just a third party that handles logistics, please do not think that your remaining ICTs and IPPTs will be wiped off from the system.
It doesn’t work that way, soldier.
And unfortunately, this isn’t the only case Mindef has to face.
Another SAF Vendor Hit with Ransomware on 4 December 2019
It turns out that earlier this month, another SAF vendor has been hit by ransomware.
Basically, ransomware is when a hacker lock you out of your server (or account) and demand money from you, if not he or she would delete everything in the server.
Healthcare training provider, HMI institute of Health Sciences, is a contractor that’s somehow contracted for SAF’s Cardio Pulmonary Resuscitation (CPR) and Automated External Defibrillation (AED) courses. I use “somehow” because as someone who’s been in SAF, I’ve always thought that these courses were done in-house by SAF instructors.
But anyways.
The server comprises 120,000 individuals and 98,000 of them are SAF servicemen who have gone through the CPR and AED courses.
They’ve determined that there’s no evidence that the data in the affected server is copied or exported. These data includes full names, NRIC numbers, dates of birth, home addresses and email addresses.
The company, however, mentioned that there is a “a low likelihood of a data leak”.
Oh, wells. If they’re talking to an encik, I bet he’d be saying, “You think I think who confirm!?”
There’s been no update on what happens after that; the executive director of the company simply said, “We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused. Preserving their privacy and keeping their personal data safe are our highest priority.
“While we have been informing those affected directly, we are making this announcement as a precautionary measure so that all our students and applicants would be aware and more vigilant. We have also put in place additional measures to fortify our systems against increasingly sophisticated cyber intrusions.”
Mindef’s Response
Do you know that there’s a Defence Cyber Chief?
Me neither.
And it’s not a Colonel but a Brigadier-General. I guess I’m really a lao peng who only knows how to fight with a SAR21.
He said, “The malware incidents affected the IT systems of our vendors. Although Mindef/SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data. We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information.”
So, boys (and girls), remember: it’s going to be 2020 soon. Have good digital hygiene, please.