2 vendors for Mindef, SAF hit by malware; personal data of 2,400 staff could have been leaked

SINGAPORE – The personal data of 2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) personnel may have been leaked.

The data leak involved ST Logistics, which is contracted to provide logistics services such as eMart retail and equipping services for the SAF, Mindef said in a statement on Saturday (Dec 21). The data included the full names and NRIC numbers, and a combination of contact numbers, e-mail addresses or residential addresses.

The breach was a result of a recent series of e-mail phishing activities involving malicious malware sent to its employees’ e-mail accounts, ST Logistics said in a statement on Saturday.

In a separate incident, a healthcare training provider’s server, which contains the data of 120,000 individuals including 98,000 SAF servicemen, was found to have been infected by ransomware on Dec 4.

The training provider, HMI institute of Health Sciences, has hired a cybersecurity firm to conduct investigations and concluded that the incident was a random and opportunistic attack on the server and there was no evidence that the data has been copied or exported. There is a low likelihood of a data leak, the company said in a statement on Saturday. 

The data in the affected server included personal information of some or all of the students’ and applicants’ data, such as full names, NRIC numbers, dates of birth, home addresses and e-mail addresses. The 98,000 SAF servicemen affected are those who attended the Cardio Pulmonary Resuscitation (CPR) and Automated External Defibrillation (AED) courses conducted by the institute.

Both vendors have apologised for the malware incidents.

‘’ST Logistics is committed to ensure that all personal data in our possession is treated with high standards of integrity. We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected,” said ST Logistics chief executive officer Loganathan Ramasamy.

“We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused. Preserving their privacy and keeping their personal data safe are our highest priority ,” said Mr Tee Soo Kong, executive director of HMI Institute of Health Sciences.

“While we have been informing those affected directly, we are making this announcement as a precautionary measure so that all our students and applicants would be aware and more vigilant. We have also put in place additional measures to fortify our systems against increasingly sophisticated cyber intrusions.”

Both incidents have been reported to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team.

Mindef and SAF are working with both vendors to investigate the impact of the malware incidents and the potential disclosure of personal data.

“Mindef and the SAF take a serious view on the secure handling of personal data by our vendors. The security of their IT systems is an important factor that will be taken into account in the award of contracts,” the ministry said.

Defence Cyber Chief Brigadier-General Mark Tan said: “The malware incidents affected the IT systems of our vendors. Although Mindef/SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel’s personal data. We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information.”

Affected Mindef and SAF personnel are being notified from Saturday, Mindef added.