The personal information of 808,201 blood donors who registered to donate since 1986 in Singapore was exposed after the database which contained it was left unprotected on an Internet-facing server for more than two months.
According to The Straits Times who first reported the data leak incident, Singapore’s Health Sciences Authority (HSA) received the initial report on March 13 from the security expert who discovered the unsecured database.
The HSA said in a notification sent to the affected donors that Secur Solutions Group Pte Ltd (SSG), an HSA vendor, was the company which failed to appropriately protect the database against access over the internet:
SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors: Name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight. The database contained no other sensitive, medical or contact information.
As further detailed by the HSA, while investigations are still ongoing, the logs of the passwordless database show that the only individual who accessed it was the security expert who reported the incident during the time it was exposed to public Internet access.
Additionally, the HSA stated that SSG left the database unprotected on an Internet-facing machine on January 4, 2019:
SSG had placed the information we provided them on an unsecured database in an internet-facing server on 4 Jan 2019 and failed to put in place adequate safeguards to prevent unauthorised access. This was done without HSA’s knowledge and approval, and was contrary to its contractual obligations with HSA.
A Secur Solutions Group also released an official statement saying that the database was immediately secure after the HSA alert was received. Also, “We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations.”
The HSA CEO Mimi Choong apologized for SSG’s security slip and that the authority will also increase vendor checks from now on:
We sincerely apologise to our blood donors for this lapse by our vendor. HSA treats donor data confidentiality very seriously. We would like to assure donors that HSA’s centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.