When a person donates blood, the donation center collects
data from the people. This is recorded and retained. This is done throughout
the planet. Singapore likewise is involved with this process. Early in 2019, blood
donor’s data, located in a database, was breached. While this was broadcast
across the globe within the first few weeks after, most people read the
headline and the high-level summary, and may not have dug into the details.
Vulnerability
The attack used was not excessively complex. There was an
unsecured database that was available. Also, given the circumstances, this also
was not likely encrypted. The database was located on an internet-facing
server. The clearly incorrectly configured, openly accessible server
information was leaked on the internet for two months prior to this being
reported. The data was exposed for nine weeks beginning January 4, 2019, as
reported by the Health Sciences Authority (HSA). The HAS provided the data to
the 3rd party organization, SecurSolutions Group, to update the
database. This prominent issue was detected by a cybersecurity subject matter
expert (SME).
The SME contacted Singapore’s Personal Data Protection
Commission (PDPC) on March 13th. The HSA, once alerted to the issue,
worked with SecurSolutions Group to disable access to the account. The HAS is
working with the SME to delete the data. As a coincidence, the cybersecurity
researcher was based outside of Singapore. One report stated it appeared there
was no unauthorized access during the subject period to the database, while another
stated the data was access by an unauthorized party and possibly exfiltrated.
Affected
There were 808,201 blood donors who were affected by this
negligent act. This exceptionally large number represented the blood donors
since 1986, or to put this in perspective, the blood donors over the last 30+
years. The data possibly/probably accessed and exfiltrated included the names,
NRIC, gender, number of blood donations, dates of the last three blood
donations, and may have included the blood type, height, and weight. The odd
coincidence with this instance was this was not the first time SSG
(SecurSolutions Group Pte Lt.) noted its servers had been accessed by other unknown
IP addresses.
Lessons Learned
This issue brings up so many areas of concern.
a)
The data on the internet-facing server. In
general, they should have thought twice about this. While this occurs all the
time across the globe, there are inherent issues, especially when this is not
configured correctly. As this was the case, the data was not secured. There was
nothing present to prevent any unauthorized access, as this was openly
accessible.
b)
You need to know the scope. The third-party
contactor posted the data on the server. This was done without HAS’s knowledge
or approval. In a review of the contract, this was not allowed. As with any agreement,
the parties need to read the contract to know the scope of the project, and
what may and may not be done.
c)
SCM. The supply chain management is still not
fully addressed as a part of cybersecurity. When data is entrusted to a third
party, they really should be vetted well before the contract’s execution.
Without properly addressing cybersecurity in the supply chain, the business is
allowing for a massive mountain of problems. SSG clearly breached its contractual
agreement. This is especially notable since the service provider’s (SSG) had
been accessed by unknown IP addresses since late 2018. This was also not the
first occurrence of an attack. In 2017, the same server was attacked. With the
same server being targeted, was the 2017 excursion used in the recon process,
instead of a one-time attack? Overall, the business needs to ask or require a 3rd
party to assess your vendor’s security posture.
d) The database was not encrypted. Seemingly, if you
are going to have this off-premises, and accessible you might want to have some
form of encryption on the data. If this database contained data not
attributable to the persons and was a generic aggregation, that’s one case. This
had confidential data for persons directly attributable to them.
In closing…
This certainly was not the first error in judgment and
most certainly won’t be the last time this happens in the industry. These instances
keep occurring across the globe. Somehow we need to publish not only the error
but also the remediation methods so others do not keep perpetuating the
idiocracy. Please pass this along. After a configuration, the admin should
check the configuration to make sure it is within the industry’s norms and
guidelines. If it is not, the subject hardware should be reconfigured and
retested. This isn’t quantum mechanics. Let stop the cycle of stupidity.
Resources
CAN. (2019, March 30). Blood donor data leak: HAS’s vendor
says information that went online was accessed illegally and possibly
extracted. Retrieved from https://www.channelnewsasia.com/news/singapore/personal-data-of-800-000-blood-donors-accessed-illegally-hsa-ssg-11395364
Choo, F. (2019, March 16). 800,000 blood donors’ data put
online by HAS vendor. Retrieved from https://www.straitstimes.com/singapore/health/800000-blood-donors-data-pmt-online-by-hsa-vendor
Gatlan, S. (2019, March 15). Insecure database exposes
800,000 singapore blood donors. Retrieved from https://www.bleepingcomputer.com/news/security/insecure-database-exposes-800-000singapore-blood-donors/
Johnston, M. (2019, March 18). Personal data of 800,000
blood donors exposed in singapore. Retrieved from https://sg.channelasia.tech/artricle/6518921/personal-dta-800-000-blood-donors-exposed-singapore/
Paganini, P. (2019, March 16). Secur solutions group data
leak exposes 800,000 singapore blood donors. Retrieved form https://securityaffairs.co/wordpress/82452/data-breach/secur-solutions-group-data-leak.html
Siew, A. (2019, March 19). More than 800,000 blood donors
had personal data exposed, in latest leak in singapore. Retrieved from https://www.techgoondu.com/2019/03/19/more-than-800000-blood-donors-had-personal-data-exposed-in-latest-leak-in-singapore/
No comments:
Post a Comment