Personal data of 2,400 Mindef, SAF staff possibly leaked after 2 vendors hit by malware
SINGAPORE — Two vendors for the Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) have reported separate malware incidents involving systems containing the personal data of thousands of personnel.
The vendors are the HMI Institute of Health Sciences, which has provided CPR and automated external defibrillator training for Mindef and SAF personnel; and ST Logistics, which has provided logistics services such as eMart retail, said Mindef in a news release on Saturday (21 December). Both companies made use of personal data provided by Mindef and SAF employees for their operations.
The ST Logistics incident stemmed from a series of e-mail phishing activities involving malicious software that was sent to its employees e-mail accounts, said the company in a separate news release. This led to the possible leaking of personal data – including names, NRIC numbers, telephone numbers and residential addresses – belonging to some 2,400 Mindef and SAF staff.
“Preliminary investigations indicate that the personal data could have been leaked,” said Mindef of the incident. ST Logistics, which is owned by Japan Post, has provided its services to Mindef since 1999.
In the HMI Institute incident, their affected system contained the personal data of 120,000 individuals, including the full names and NRIC numbers of 98,000 Mindef/SAF staff.
HMI Institute, which is owned by Health Management International, explained in its own news release that one of its file servers was found to be encrypted by ransomware on 4 December. The server was taken offline immediately following the discovery and subsequent investigations by a cybersecurity firm found that “the incident was a random and opportunistic attack on the file server”.
Mindef noted that in this case, “the likelihood of data leak to external parties is low”.
Both ST Logistics and HMI Institute have informed the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCert) of their respective incidents. The PDPC is currently conducting investigations into the cases.
All affected Mindef and SAF personnel will be notified of the incidents from Saturday.
“The malware incidents affected the IT systems of our vendors. Although Mindef/SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data,” said Defence Cyber Chief Brigadier-General Mark Tan.
“We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information,” he added.
More Singapore stories:
SAF NSF sustained cervical spine injury during parachute training in Taiwan
