I was thinking that if I wanted to turn the SingHealth hack into a national crisis, I could. After all, 1.5 million sets of personal particulars have been stolen, including the outpatient medication data of 160,000 people. It also seems to be state-sponsored attack, said our own state, and the people who are in the know might even know who’s behind this. So is it the Americans? The Chinese? The Russians? The, ahem, Malaysians? Shades of cyber-terrorism! Conspiracies! We should be on national alert!
What a good time this would be to roll out a cyber protection campaign, sign up the best and the brightest for cyber-security classes and have a top 10 list of the best anti-virus products (and we’re not talking about the health kind)! What about a Change-Your-Password Day? Time to close ranks, ring fence and hold hands.
But it seems everyone is taking it all in their stride, a testimony to how well the “when and not if’’ anti-terrorism mantra has sunk into the national psyche. Of course, there is the other type of reaction: why aren’t our cyber-security protocols strong enough? Why didn’t the health sector de-link their computers from the Internet like everybody else in the public sector? Why did it take more than a week for the G to tell us what happened?
I almost forgot a third type of reaction: “It could have been worse’’, which is the sorriest excuse for any bad circumstance.
I’d wager, though, that the relative calm is more a result of ambivalence and depends on how deeply an individual feels about privacy. So after an initial “Wah, even the Prime Minister kena hack’’, we leave it alone and trust that the G would deal with it. That would be good news for the G – we leave things to the experts and the Committee of Inquiry set up to investigate what happened.
But it won’t be good news if the calm is due to people not caring about what had happened.
Perhaps, there is a presumption of safety in numbers – “so many people, can’t be about me’’. Also, it “can’t be about me’’ since the G keeps maintaining that the target was Prime Minister Lee Hsien Loong. So it’s about him.
I am not one of the people affected. And those affected whom I know seem more pleased to have been personally informed via SMS than worried about what people will do with their name, address, race, gender, IC number and date of birth. It doesn’t help that Cyber Security Agency chief executive David Koh said the stolen information are “basic demographic data” which has “no strong commercial value’’. Commentators have wondered if he was right to dismiss health data so easily.
I wonder too.
I mean, I could sell the data to a drug company which would know how to price its medicines properly or where to open a pharmacy, set up a clinic – and which drug I should tamper with if I want to get rid of a whole lot of people.
My bigger wonder is over the G’s messaging – should we be worried or not? If there’s no strong commercial value, then the hack is more for strategic and political reasons. Shouldn’t this be more worrying? Or we should leave it to the G to worry about it?
In any case, I doubt that many people are worried, so used are we to giving our personal data willy-nilly that we have to be told that you don’t have to leave your IC at the security counter of a building and agencies should stop publicising such numbers even if they belonged to lottery winners!
I am one of those pesky people who always give receptionists, security guards and nosey parkers grief when asked for personal details. I admit that I sometimes give false info when I see no reason for the company, agency or nosey parker to know more about me than I want to divulge.
Q: “We just need your address, email, contact number in case we need to contact you.’’
A: “But why would you need to contact me at all? I don’t want to be contacted by you.’’
Q: “We need your date of birth for our records…’’
A: “Why? Are you sending me a birthday present?’’
Q: “Look, we just need your IC number…’’
A: “Why do you need to verify who I am? I’m just another customer!’’
Wags will say there is nothing to fear if you have nothing to hide. My reply will be “I have nothing to hide, but why do you want to know?’’
My private data is part of me. I am no mass produced robot with a manufacturer’s stamp and which can be opened up for some stranger to peer into my component parts.
You can bet that I would be rather furious if I was one of the 1.5 million and worse, if I was among the 160,000. I would argue that SingHealth is not part of the public sector but operates restructured hospitals and clinics under what is legally a private company. I mean, that’s why it didn’t follow public sector rules on ‘’de-linking’’, right? So the PDPA should be thrown at it. After all, that’s what’s likely to happen if a private medical group faced the same problem.
It is right that the end-user should be careful about passwords and so forth, or about simply leaving a work-station un-attended. It is right that we should have protocols that might make life more difficult – but safe from cyber attacks. It is right that we train experts.
Methinks the key to firming up attitudes on cyber-security is not to look at whether the stolen private data is valuable.
It must start with us, by putting a value on our own private data.