Some 850 employees and national servicemen in Singapore would do well to change their online passwords immediately, after news emerged yesterday that their personal data was stolen from Ministry of Defence (Mindef) computers.
The NRIC numbers, telephone numbers and birth dates of these unfortunate users were lost as part of a cyber attack that breached the defences for one of the most security-conscious government agencies here.
With that data, cyber criminals could try logging in to e-government services, as some of them rely on an NRIC number as a username.
Or they could sell the information to spammers to deliver annoying messages on the phone. In an interconnected world, any data that exposes a user is a useful link to cyber criminals for follow-up attacks.
Bad news is, the victims may not yet know who they are. The defence ministry said it was reaching out to them within the week, after first discovering the hacks in early February. Meanwhile, their data is still out in the open, possibly to be exploited.
The incident has proven once more that defending against today’s cyber threats is an uphill struggle, even for the most prepared.
To be sure, the computers breached at the ministry were on its I-net system, which lets servicemen and employees go online. These are less strictly secured than those that store classified information, which was not stolen, according to the ministry.
Though it might come as a shock to the public, the attack on the ministry should not surprise anyone tasked to defend against such increasingly sophisticated cyber threats.
No longer are casual hackers and petty criminals involved in online attacks today. “State actors”, or government-sanctioned hackers, are the most dangerous threats now because of their training, skills and organisation.
The recommended approach today is to assume that your systems are already compromised, that an attacker has already entered the premises.
Industry experts now speak of an arms race. Just as cyber defences have relied on artificial intelligence (AI) to automate the search for vulnerabilities and identify attacks, hackers have learnt to fine-tune their attacks by using autonomous systems as well.
To its credit, the defence ministry has been open in announcing the hack. It could not hide, after all, when the protection of personal data was at stake.
The attack, said to be “targeted and carefully planned”, is also another wake-up call for government agencies planning to go digital with more e-services in the months ahead.
After personal data was stolen from SingPass accounts in 2014 to perform illegal e-government transactions, many agencies were forced to move from an antiquated login system to a more robust one using hardware tokens.
This time round, the emphasis must be on how the attack was carried out. Since the defence ministry’s public-facing computers were expected to be breached, what were the safeguards in place to protect users’ personal data? Why was this accessible on the arguably more vulnerable systems?
Investigations are still ongoing now, but the public has a right to know what happened, just as customers of a bank, e-mail provider or department store should be told if their data was lost.
Indeed, the government has a larger responsibility. Not just because people tend to trust it more – citizens often have no alternative but to deal with an agency. National serviceman, for instance, depend on the defence ministry to keep their data protected.
The government routinely fines small and medium enterprises (SMEs) if they are deemed to have inadequate security measures in place to protect customers’ data.
Why happens when the defence ministry loses personal data, then? The Personal Data Protection Act doesn’t apply to public agencies but surely they have to show they are better equipped to deal with emerging threats than SMEs.
Ultimately, what can end users do to protect themselves, if these breaches are expected to be more common? Unfortunately, the only advice is to be constantly vigilant.
Responding to each attack by quickly changing passwords or using multiple accounts to avoid being locked out all at once may be among the few mitigating actions one can take. This is the new normal.
