The Monetary Authority of Singapore has released a circular in relation with the previous cyber attack which was disclosed on July 20, 2018. Singapore has been hit by what local media is calling the country’s “worst” cyber attack. Hackers targeting Singapore’s largest health care institution, SingHealth, stole the personal profiles of some 1.5 million patients along with the details of prescriptions for 160,000 others. The personally identifiable information (“PII”) stolen included name, NRIC number, address, gender, race and date of birth.
Included in the latter group was Singapore’s prime minister, Lee Hsien Loong, who the Ministry of Health said was targeted “specifically and repeatedly.” The hack on SingHealth is the latest example of the vulnerability of digitized health data. Data breaches of this sort have become increasingly common.
The stolen information may be used by fraudsters to conduct social engineering attacks or identity thefts. For example, fraudsters may attempt to perform unauthorized financial transactions by calling a Financial Institution’s (“FI”) call centre and impersonating its customer using the stolen information.
With immediate effect, FIs are not to rely solely on the types of PII that are stolen in the cyber attack for customer verification. FIs must use additional information which only the customer knows of, such as account number, last transaction date and amount, One-Time Password or PIN, for customer verification before undertaking transactions for the customer.
FIs should conduct a risk assessment on the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including both transaction and inquiry functions, and take immediate steps to mitigate any risks that might arise from the misuse of the compromised information.
MAS recommends that FIs adopt the following measures to protect themselves against a similar attack: (Circular No: MAS/TRS/2018/07 20 July 2018)
- Review domain administrator accounts– It is highly recommended to conduct a review of the domain administrator accounts ensuring the removal of access of old staff members.
- Deactivate terminated employee account but do not delete the details.
- Audit administrator rights and validate who should have access.
- Administrator username should not be used rather administrator rights should be granted to user that requires administrator rights.
- Disable Powershell for standard workstations– Check whether Powershell is installed or active.
- Monitor for unauthorized remote access or database access
- Monitor for unauthorized remote access but don’t specifically look at database access.
- Ensure group policy is managed using groups access to remote desktop.
- Administrator accounts should not be used or DB access. DB should have restricted account access.
- Tighten control for long-running or decommissioned endpoints– audit the endpoints, identify the unclassified user.
- Employ strong endpoint protection–Ensure that there is a recommended Antivirus installed and active on the endpoints.
- Keep systems up-to-date– It is highly recommended that automatic updates are turned off for all windows machines. Conduct regular manual updates and patch when deemed stable. Removable storage should be disabled or managed by group policy.
FIs can refer to the following Technical Advisory issued by the Singapore Computer Emergency Response Team (SingCERT) for further information:
Technical Advisory on Measures For Protecting Customers’ Personal Data
The pertinent points from this URL include:
- Ensuring that any sensitive data is encrypted, and limiting access of employees and other stakeholders by their roles. Passwords that are stored should be encrypted.
- Companies should review their data retention policies on the duration and the types of PII data that should be stored. To further limit data exposure, companies are advised to purge customer’s PII if it is not required anymore, such as accounts which have been terminated.
- Recommended Security Measures
Lastly, this MAS circular refers to the 28 page PDPC document – GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME. Clearly, this is an attempt to ensure all FIs are reviewing and updating their policies & practices in line with PDPC guidelines… It’s a bit of a catch all: dealing predominantly with management of Client & Personal Information (PII) & other Singaporean SPAM/Do Not Call guidelines. The document includes sample clauses & templates to guide FIs.
- The Personal Data Protection Act 2012 of Singapore
- DMAS Commercial Electronic Messaging Compliance
- Singapore’s Spam Control Act
Circular No: MAS/TRS/2018/08 24 July 2018 is self-explanatory. It’s reminding FIs that they need to be vigilant when verifying potential customers/clients – and that they should use information other than NRIC, Date of Birth, Name, Address, etc… to ensure that no fraudsters are impersonating their potential customers/clients. Depending on in the information which company holds on its customers today, it may need to modify its client verification mechanisms (e.g. use PINs, 2FA, or email verification URL links) to prove authenticity.
Every day, new attacks are created and released, and as fast as they can be neutralized, new ones spring up. Everyone must be vigilant in helping customers identify weaknesses in their systems, especially if there is no IT department. Implementing as many walls of protection and preventative policies as possible will help to diminish the threats and to protect the liability of both you and your customer.The widespread use of new technology in the workplace has led to an increase in a new class of cyber threats. Understanding these threats and implementing a strong Cybersecurity posture can help prevent losses. Think Security. Think Ahead.