The personal data of the 800,000 blood donors in Singapore whose details were found on an un-secure database on an internet-facing server, have had their data accessed and possibly stolen.
It was previously thought that the data had not been accessed illegally, and the foreign cyber security expert who discovered the vulnerability was the only one to have accessed the data, however this now appears to be not the case.
An investigation into the incident has been opened by the police.
Secur Solutions Group (SSG), the independent vendor of the Health Sciences Authority (HSA) at the heart of this controversy has been working closely with authorities to investigate the incident.
As the results of this investigation come in it appears that the exposed data was in fact accessed, with the vendor revealing that their server was accessed suspiciously from other IP addresses between October 2018 and March 2019.
“Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated,” said SSG in a statement.
It has not been made public whether these IP addresses were local or foreign or how many times the server was accessed. Investigations are still ongoing as to whether the data was stolen and, if so, by whom.
The incident took place when the provider was working on a database containing the registration-related information of 808,201 blood donors, which included names, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight.
The data also included visitors to HSA’s blood banks inclusive of those who were unable to donate blood due to illnesses.
Since the incident, the vendor has worked closely with professional services firm, KPMG, in Singapore to help conduct forensic analysis. A thorough review of the vendor’s IT systems was also conducted.