'Multiple safeguards' in place to prevent abuse of stolen SingHealth data: Iswaran

(PHOTO: Getty Images)

Despite last month’s SingHealth data breach, there are “multiple safeguards” in place to prevent the stolen information from being misused, said Minister for Communications and Information S. Iswaran in Parliament on Monday (6 August).

“I want to emphasise that there are multiple safeguards in place to mitigate such risks, especially for financial transactions and sensitive government e-transactions” he said during his Ministerial Statement on the 4 July cyberattack. The incident saw hackers gaining access to the personal data of 1.5 million patients, including Prime Minister Lee Hsien Loong.

Noting that financial institutions generally do not rely on personal information such as the kind that was stolen in order to verify customer identity, Iswaran added that all banks and insurance companies here already use two-factor authentication (2FA) for online financial services, such as fund transfers.

This requires account holders to submit their personal identification number (PIN) and a one-time password received via SMS or their banks’ authentication token.

An additional security layer, known as transaction signing, also helps protect higher-risk transactions such as adding a third-party payee or transferring large sums of money, said the 56-year-old West Coast GRC Member of Parliament.

“Unless the attacker has access to all authentication information, it would not be possible for fraudulent transactions or identity theft to occur,” he said, adding that the Monetary Authority of Singapore has also directed financial institutions here to take further security measures.

Iswaran noted that, since July 2016, all sensitive government e-transactions have been protected by the SingPass 2FA. Since the SingHealth breach, government agencies have also taken steps to boost their cybersecurity such as by strengthening their identity authentication process.

The minister added that individuals can also do their part by practising good personal data protection and cybersecurity habits.

“They should ensure that their passwords, user IDs and security questions are not based on personal data,” he said. “Use strong passwords, enable 2FA for online transactions, and watch out for fraudulent transactions and suspicious requests for personal data.”

Following the SingHealth attack, the Singapore Computer Emergency Response Team (SingCert) has also published online precautions that individuals can take, said Iswaran.

Individuals may also contact SingCert to report cybersecurity incidents and the Personal Data Protection Commission to report personal data breaches.

Related stories:

SingHealth cyberattack fits profile of ‘typically state-linked’ groups: Iswaran

Committee of Inquiry formed to probe cyberattack on SingHealth’s database

SingHealth warns of new phone scam after major cyberattack

SingHealth debunks fake SMS about cyberattack

1.5M patients’ data, including PM Lee Hsien Loong’s, stolen in major cyberattack