Felicia Choo reports:
The personal information of more than 800,000 people who have donated or tried to donate blood in Singapore since 1986 was improperly put online by a Health Sciences Authority (HSA) vendor for more than two months, but access to the database was cut off soon after the discovery.
Disclosing this in a statement on Friday (March 15), the HSA said its preliminary findings indicate that there was only one instance of external access – by a cyber security expert who discovered the vulnerability on Tuesday (March 12) and alerted the Personal Data Protection Commission to it a day later.
Read more on Straits Times.
The vendor was identified in HSA’s press release as Secur Solutions Group Pte Ltd (SSG). According to the press release:
HSA had provided the data to SSG for updating and testing. SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access. It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA.
Related: Notice to those affected.
Kudos to the researcher who engaged in responsible disclosure. At the time of this posting, I’m not sure who that was.