What to make of the SingHealth cyber attack that saw the personal data of 1.5 million users hacked?
A tale of negligence, bo chup-ness, and cover-your-ass where the rot starts at the top.
Mostly, if not some some gallant ground staff who tried their best to prevent the hack but got stone-walled because their colleagues behaved exactly as described above.
Let’s start from the top, with IHIS CEO Dr Chong Yoke Sin.
The cyber attack that took place in July this year has its roots in a database loophole back in 2014.
Then, an employee discovered the loophole which he though could be used by anybody, even laymen, to gain control of the database and result in a “serious medical data leak, or even a national security threat”.
He was sacked for leaking the information to a rival tech vendor and sacked, but no formal investigation was launched into the loophole even though Dr Chong knew about how serious the situation was.
Then we have the rogue employee’s supervisor, Clarence Kua, Deputy Director of the Chief Information Officer’s Office.
When pressed by the COI as to why he knew about the potential national security threat but did a NATO, aka “no action, talk only”, he said that his focus was to track the personal email address the rogue employee sent to leak the information.
And, stating that he was someone who preferred to “take order”, he said was more concerned about effecting discipline over the ethical breach because that’s what his CEO, Dr Chong, was interested in.
Everyone below thought it was case closed on the matter from then on, since an upgrade of the database’s system architecture would plug the hole.
Fast-forward to 2018.
A hacker used a publicly available hacking tool to penetrate a SingHealth workstation as a result of that loophole from years back, and because of careless systems management – inactive administrative accounts that connected to the medical records database were not deactivated.
And how’s this for a kicker – one admin account had its password set as “P@ssword”.
Nice one lah.
Now we have our IHIS heroine Katherine Tan, a database administrator, who saw strange patterns around 11 June that looked like someone was trying to breach the system by sending many access requests and hoping one would hit the mark.
She told her boss, Teresa Wu, about the potential breach, and her boss told her to go ask her colleagues.
But despite emailing them….
“No one responded to my query, and I never followed up to press for an answer to the matter.”
For close to a month, the matter was allowed to slide.
IHIS Cluster Information Security Officer Wee Jia Hou said he didn’t have a framework for reporting cyber threats, and merely glossed over emails related to the matter.
And anyway, according to Wee, these kind of security matters were handled by Senior Manager for Infra Services-Security Management, Ernest Tan.
Ernest Tan was on holiday in Japan and when he came back he thought the whole thing wasn’t a serious breach and if it was a “reportable security threat” then it was Wee’s job and not his to escalate the reporting of the threat.
Meanwhile, with all the buck-pushing going on, our heroine Katherine Tan didn’t stop there – she independently developed a script to try and stop the unusual activity and installed managed to complete it on 5 Jul, almost a month after the suspicious activity was detected.
But it was too little too late.
An emergency meeting was called days later and the Cyber Security Agency was alerted on 10 July.
Possible middle fingers behind closed doors aside, the matter was then disclosed to the public on 21 July.
And therein, after 5 days of COI hearings, we hear the tale of negligence bo chup-ness displayed by IHIS, with the rot starting from the top.
Now, who’s going to man up and take responsibility for the fiasco – Health Minister Gan Kim Yong, or Minister for Communications and Information S Iswaran?
Or will there be no more buck left to pass because, you know, no-blame culture?