Impact of Recent Data Leaks on Confidential Operations of MINDEF and SAF
Ministry of DefenceSpeakers
Summary
This question concerns the impact of data leaks at ST Logistics and HMI Institute on MINDEF and SAF operations, as raised by Ms Rahayu Mahzam and Mr Png Eng Huat. Minister Dr Ng Eng Hen stated the incidents were confined to vendor systems and did not compromise classified military information. He noted that MINDEF detected the ST Logistics malware in October 2019, while HMI Institute reported its server infection in December 2019. To address these breaches, MINDEF is strengthening vendor oversight through new contract clauses and recommendations from the Public Sector Data Security Review Committee. Finally, a tiered cybersecurity framework will be implemented to subject vendors handling sensitive data to more stringent standards and regular audits.
Transcript
21 Ms Rahayu Mahzam asked the Minister for Defence (a) what is the assessment on the impact of the data leak which occurred at ST Logistics and the ransomware attack on HMI Institute of Health Sciences to confidential operations of MINDEF and SAF; and (b) what is the follow-up action that is in place following the two incidents.
22 Mr Png Eng Huat asked the Minister for Defence with regard to the personal data leak affecting 2,400 MINDEF and SAF personnel (a) when did ST Logistics first discover the phishing attack; and (b) when did MINDEF come to know about the leak.
Dr Ng Eng Hen: On 10 October 2019, MINDEF discovered that emails received from ST Logistics contained malware, and alerted their management, whereupon ST Logistics as a first precautionary move blocked outgoing data and emails possibly affected by the malware. The company’s IT team and external support teams then carried out forensic investigations to provide MINDEF with the affected data for an impact assessment. It was established on 13 December 2019 that personal data of 2,400 MINDEF/SAF personnel could have been leaked. The affected personnel were notified from 21 December 2019.
In the second incident, HMI Institute discovered a malware infection in one backup server on 4 December 2019, and alerted MINDEF on 9 December 2019. With the help of a cybersecurity firm, HMI investigated the infection and ascertained the individuals from MINDEF/SAF and other organisations whose personal data were on the affected backup server. Although the likelihood of data leak to external parties was assessed to be low, the 98,000 MINDEF/SAF personnel were informed from 21 December 2019.
Both incidents were confined to the systems of the vendors, and did not affect MINDEF's own systems or result in the loss of classified military information.
MINDEF takes a serious view of these cases. We expect our vendors to protect all personal data that has been entrusted to them. Prior to these incidents, MINDEF had begun including personal data protection clauses in all new contracts involving personal data. We had also been working with vendors, including HMI Institute and ST Logistics, to progressively apply such clauses to existing contracts.
We will further strengthen oversight of our vendors. Taking reference from the recommendations of the Public Sector Data Security Review Committee (PSDSRC), we will implement a framework to ensure that vendors protect our data well. MINDEF will also implement a tiered cybersecurity framework to ensure that vendors handling more sensitive data are subject to more stringent cybersecurity standards, which may include regular audits. As the risks will continue to evolve, we will continually monitor developments and enhance our cyber and data security measures.