Insecure Database Exposes 800,000 Singapore Blood Donors

The personal information of 808,201 blood donors who registered to donate since 1986 in Singapore was exposed after the database which contained it was left unprotected on an Internet-facing server for more than two months.

According to The Straits Times who first reported the data leak incident, Singapore's Health Sciences Authority (HSA) received the initial report on March 13 from the security expert who discovered the unsecured database.

The HSA said in a notification sent to the affected donors that Secur Solutions Group Pte Ltd (SSG), an HSA vendor, was the company which failed to appropriately protect the database against access over the internet:

Wiz

SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors: Name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight. The database contained no other sensitive, medical or contact information.

As further detailed by the HSA, while investigations are still ongoing, the logs of the passwordless database show that the only individual who accessed it was the security expert who reported the incident during the time it was exposed to public Internet access.

Additionally, the HSA stated that SSG left the database unprotected on an Internet-facing machine on January 4, 2019:

SSG had placed the information we provided them on an unsecured database in an internet-facing server on 4 Jan 2019 and failed to put in place adequate safeguards to prevent unauthorised access. This was done without HSA’s knowledge and approval, and was contrary to its contractual obligations with HSA.

A Secur Solutions Group also released an official statement saying that the database was immediately secure after the HSA alert was received. Also, "We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations."

The HSA CEO Mimi Choong apologized for SSG's security slip and that the authority will also increase vendor checks from now on:

We sincerely apologise to our blood donors for this lapse by our vendor. HSA treats donor data confidentiality very seriously. We would like to assure donors that HSA's centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Korean Air data breach exposes data of thousands of employees

Baker University says 2024 data breach impacts 53,000 people

Nissan says thousands of customers exposed in Red Hat breach

SoundCloud confirms breach after member data stolen, VPN access disrupted

Google is shutting down its dark web report feature in January