Singapore has experienced yet another breach, only this time it is the Singapore Red Cross (SRC), which saw the personal data of 4,297 people compromised when its website was hacked, the organisation admitted in a statement.
An investigation is ongoing, however, according to the statement, SRC became aware of the breach when a web developer who worked for the organisation raised the alarm about an incident of unauthorised access that supports the recruitment of interested blood donors.
“The following information of 4,297 individuals who had registered their interest on the website was compromised: name, contact number, email, declared blood type, preferred appointment date/time and preferred location for blood donations,” SRC disclosed.
At this time, it appears no other information was compromised, however investigations are ongoing.
Furthermore, earlier this year, the personal data of about 800,000 blood donors was accessed when a security flaw was found by a foreign cyber security expert who discovered the vulnerability.
In that case, personal data was found on an unsecure database on an internet facing server. The independent vendor who had responsibility over the server, Secur Solutions Group, worked closely with the Health Sciences Authority (HSA) to investigate the incident.
Specific to SRC, an expression of interest to donate blood can be made through its website, after which SRC would make appointments on their behalf.
It appears that other databases were not affected in the incident, while the HSA’s own system were also not compromised. However, a police report has been made and a report has been submitted to the HSA and Personal Data Protection Commission.
According to the SRC, a trigger for the incident could simply have been the result of a weak administrator password, leaving the website vulnerable.
“There were measures in place to guard against unauthorised access of the website,” said SRC. “While our investigations to determine the nature of the unauthorised access are ongoing, our preliminary findings show that a weak administrator password could have left the website vulnerable to unauthorised access.”
As a precautionary measure, SRC said its website has been disconnected from internet access, and a temporary website has been put in its place with relevant links to other websites. The website will only go live again once all relevant security checks have been completed said SRC.
Furthermore, security consultants have been engaged to investigate the incident. The findings will be known once they complete a comprehensive forensic investigation in an effort to determine the exact nature of the incident and how it occurred.
The findings will be submitted to the SRC Council who will take the necessary steps to secure its IT infrastructure together with the advice of its IT advisory panel.
“Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks,” said Benjamin William, secretary-general and chief executive officer, SRC.
“SRC has started to contact affected individuals. We apologise to the users of our website whose information may have been affected by this incident."
The cyber security community commended the response of the SRC in informing the affected individuals and their transparency in announcing this breach.
"We commend the rapid response of SRC in informing the affected individuals and their transparency in announcing this breach," said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky Lab. "May this accident reminds everyone that the security of your systems and networks can crumble with just a single weak password."
"For health organisations, and all enterprises in general, we would like to highlight the need for them to beef up their security capabilities. A holistic approach to cyber defence is highly necessary."