SingHealth data hacked a "goldmine" for identity thieves: Expert, Latest Singapore News - The New Paper

SingHealth data hacked a "goldmine" for identity thieves: Expert

This article is more than 12 months old

Experts say they may impersonate authorities to get more personal information

Fear, trust and a willingness to help others.

In the wake of Singapore's worst data breach to date, members of the public need to be alert to scammers who may tap on these emotions to trick them into giving up even more personal information, warned cybersecurity experts.

The authorities revealed last Friday that hackers had accessed the personal information of some 1.5 million people who visited SingHealth's hospitals, specialist centres and polyclinics between May 1, 2015, and July 4 this year.

Experts that The New Paper spoke to said such incidents could lead to identity theft, fraud and social engineering attacks, which use human psychology to manipulate victims into revealing confidential information.

"In the aftermath of a major breach involving citizen data, it is very likely that malicious actors will try to capitalise on the general panic to try to get people to reveal even more personal information by way of impersonating authorities over the phone, SMS or email," said Mr Sid Deshpande, research director at research and advisory firm Gartner.

"Therefore, clear communication from the authorities is extremely critical."

In that regard, SingHealth has made several updates on its Facebook page since the breach. SingCert, a unit of the Cyber Security Agency (CSA) of Singapore, has also posted advisories for companies and members of the public on its website with measures that can be taken.

Mr Paul Ducklin, senior technologist at cybersecurity company Sophos, told TNP that the data stolen during the breach was a goldmine for identity thieves.

"The more personal details that cybercriminals know about you, the more likely it is they can convince someone else either that they are you or that they know you really well," Mr Ducklin said.

Patient names, NRIC numbers, addresses, their gender, race and dates of birth were stolen during the cyber attack.

Information on the medication dispensed to about 160,000 of these patients was also taken.

SingHealth said no phone numbers, financial information or other patient medical records were illegally accessed.

Unlike financial information such as credit card details, which can be changed by the issuing bank, personal data like one's name, date of birth and NRIC number are constant, said Synopsys managing consultant Mr Olli Jarva.

This means that hackers may have a longer window to use the leaked information to impersonate accounts.

Mr Jarva said: "Individuals have to stay more alert and observe if there are abnormalities, such as spam calls attempting to request information, or trying to phish more details ."

Local banks told TNP that the data leaked during the breach is insufficient to access their systems, either in-person, online or via phone. - ADDITIONAL REPORTING BY ESTHER LOI