Senior manager was reluctant to report cyber attack, Latest Singapore News - The New Paper

Senior manager was reluctant to report cyber attack

This article is more than 12 months old

It would have resulted in more stress and work, he tells inquiry committee

It was his job to sound the alarm on suspicious cyber activities in Singapore's biggest health network - but Mr Ernest Tan Choon Kiat decided not to, even though the warning signs were there.

The reason for his reluctance: It would lead to more work for him and his team and pressure from his bosses. He went so far as to claim that he and his team members would have "no night, no day".

Yesterday, he told the Committee of Inquiry (COI) looking into the country's worst cyber attack: "I thought to myself: 'If I report the matter, what do I get?' If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide them."

Mr Tan, who also started tearing when talking about the stress he was under after his mother was hospitalised soon after the cyber attack, is the senior manager in charge of the cyber security of infrastructure at IHiS - an agency that runs the IT systems of all public healthcare operators in Singapore.

IHiS' role in the SingHealth cyber attack - which compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers - has come under intense scrutiny before the four-member COI.

Since the inquiry began on Aug 28, a lack of awareness on the seriousness of the attack, tardy response by IHiS staff and inaction by its management were some of the issues which had been highlighted.

Intrusions into SingHealth's electronic medical records system began on June 27 but were discovered only on July 4 and terminated that day by a junior staff member, IHiS' database administrator Katherine Tan.

Mr Tan was alerted to suspicious network activities on June 13 by his subordinate, IHiS system engineer Benjamin Lee, on an internal chat group.

Cluster information security officer Wee Jia Huo was also included in the chat. Mr Tan was on leave and did not read the messages until he was back in the country on June 18.

After returning to work, he was "not concerned" with the reported incidents as he was waiting for forensic analyses to be done. Mr Tan also did not think that it would be his job to raise the alarm.

During Mr Tan's absence, his superior, Mr Wee, also did not take action, not realising the severity of the incidents.

Yesterday, Mr Tan reiterated that any reporting would be necessary only if it had been proven there had been a successful attack. He also claimed that he was too busy with "isolating, containing and defending" after the attack, that he did not have time to alert management.

His inaction continued even after his subordinate Mr Lee messaged the chat group on July 4: "We really need to escalate into incident... seems like someone managed to get into the SCM db already... attack is going on right now... attacker is already in our network."