HIV data leak incident could recur unless multiple layers of checks are in place, say experts

SINGAPORE — Following Monday’s (Jan 28) revelation that information on 14,200 people with the human immunodeficiency virus (HIV) and over 2,000 others had been leaked online, cyber-security experts are warning that similar incidents could occur unless multiple layers of deterrence are put in place.

One expert proposed the use of a data monitoring system which continuously oversees the information accessed by the user, especially for those with privileged access to information, such as department heads.

“This would include monitoring how many times a person has accessed a report, how many times the person has modified the record, and how many times they have tried to export or print those records. Such actions can be easily logged with softwares,” said Mr Ali Fazeli, director of security consultancy and advisory at cyber-security firm Infinity Risk Control.

The HIV patients’ information was leaked by American Mikhy K Farrera Brochez, who is believed to have obtained the records from his boyfriend Ler Teck Siang, the former head of the National Public Health Unit (NPHU) at the Ministry of Health (MOH).

Read also

• Explainer: What you need to know about HIV

• Confidential data of 14,200 people with HIV leaked online by deported fraudster: MOH

• Fear, anger among HIV-positive individuals after news of MOH data leak

• Mikhy Brochez, American wanted in Singapore for HIV data leak, charged in US for trespassing

Mr Vijay Arularasu, a cyber-security consultant, said that the incident could have been flagged earlier if there had been an audit trail which tracks information such as who had been accessing or exporting the data, and the number of times he had done so.

But someone else, such as a person of a higher authority, has to look over those records and flag anything that does not look right, he added.

The MOH said on Monday that additional safeguards against the mishandling of confidential information by authorised staff members have been put in place since 2016. These include a two-person approval process to download and decrypt registry information to ensure that the information cannot be accessed by a single individual.

However, Mr Ali cautioned that there remained a possibility that data breaches could still occur if both users agreed to access and extract the data for misuse.

Dr Ori Sasson, director of cyber-intelligence firm S2T, said that it was also important to ensure that staff could only access what they are supposed to.

“Sensitive information should be masked. So even if you can access the data, you won’t be able to see everything,” he said. “For instance, if a doctor is looking at the blood type of a patient, he shouldn’t be looking at his NRIC or something else.”

Cyber-security experts warned that incidents perpetrated by an “insider threat” — a person within the organisation who had access to information — are harder to control.

Said Dr Sasson: “Insider threats are dangerous in cyber security. These people need to access the data for work, and as there are people involved, this creates a challenge.”

The Smart Nation and Digital Government Office, which oversees Smart Nation projects and the digital transformation of the Government, said that it constantly reviews its internal guidelines, which incorporate lessons from recent incidents.

“(The) Government has been investing in building technical systems that will allow agencies to use data safely. We have introduced stronger safeguards to prevent unauthorised downloading of information, for example, by disabling USB ports from unauthorised endpoint devices since 2017,” the office said.

“We will continue to roll out new technical measures that will help to safeguard personal data more systematically and robustly.”