Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for January, 2019 is… the theft and disclosure of confidential information from the Singapore Ministry of Health HIV registry.
On January 22nd, Singapore’s Ministry of Health was informed by the police that confidential information from their HIV registry had been leaked online. The data included names, identification numbers, phone numbers, addresses, HIV test results, and other medical information for 14,200 HIV patients. The leaked data is a few years old, with no information from after 2013.
The data is believed to have been stolen and leaked by Mikhy Brochez, a US citizen who lived in Singapore from 2006, before being convicted of fraud- and drug-related crimes in 2017, and deported following a brief prison sentence in 2018. Brochez likely stole the data as early as 2014—and the police were aware of the theft in 2016—but Brochez was able to hold onto the confidential records even after being deported, and leaked the data months later.
How Did it Happen?
Brochez was able to access the data using his partner Ler Teck Sang’s credentials. Ler was the head of the Ministry of Health’s National Public Health Unit. Ler has since been charged with other crimes relating to his aiding Brochez’s criminality while in Singapore. While Ler may have been unaware that Brochez was using his credentials for this purpose, the incident is best described by the category of malicious insider threat.
How to Minimize the Risk of this Type of Breach
Malicious insider threat is nearly impossible to eliminate entirely, because some people will always need to be trusted with access to sensitive systems. Since the data theft, the Ministry of Health, and the Singaporean government at large, have implemented policies to protect against insider threats, such as requiring two people to approve downloads of data from the HIV registry, and a government-wide policy to disable portable storage devices on official computers.
Granular, role-based access controls are a must in any system that stores or processes sensitive data. For example, in D3’s SOAR and Case Management solution, user roles determine the exact information someone can see, right down to individual form fields. This level of control helps protect against data leakage and compliance violations, without compromising users’ ability to collaborate with their colleagues who might have lower access levels.
Audit trails will also disincentivize insider data theft by leaving indisputable evidence of who has accessed, handled, and exfiltrated sensitive data. Having uneditable audit trails in your systems will help you prove who is guilty of mishandling data. They are also valuable evidence to present to regulators or law enforcement during investigations, audits, and lawsuits to demonstrate that your data-handling processes are compliant.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.