SINGAPORE — The authorities are investigating two malware incidents that could have led to the leak of personal data of thousands of personnel from the Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF). 

The incidents involved third-party vendors, the HMI Institute of Health Sciences and ST Logistics.

The systems at ST Logistics affected by the malware contained full names and NRIC numbers and a combination of contact numbers, email addresses or residential addresses of about 2,400 Mindef and SAF personnel. 

Preliminary investigations indicate that the personal data could have been leaked, Mindef said in a statement on Saturday (Dec 21).

ST Logistics, which is contracted to provide logistics services such as eMart retail and equipping services for Mindef and SAF personnel, said in a statement that the potential breach was a result of a recent series of email phishing activities involving malicious malware sent to its employees’ email accounts.

“This data, contained in working files residing in affected workstations, may have been exfiltrated,” it said.

ST Logistics added that it has carried out “extensive forensic investigations” into these activities through its own cyber security team and with the support of external cyber security experts.

HMI Institute, meanwhile, discovered a file server to be encrypted by ransomware on Dec 4. 

The institute is contracted by the SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training for Mindef and SAF personnel 

The affected server primarily contained backup information on 120,000 individuals, such as their full names, NRIC numbers, dates of birth, home addresses and email addresses, depending on the course they had enrolled or applied for. 

Among the affected individuals, about 98,000 are SAF servicemen who attended the Cardio Pulmonary Resuscitation and Automated External Defibrillation course, whose full names and NRIC numbers were backed up in the affected server.

Upon discovery of the incident, HMI Institute said it immediately engaged a cybersecurity firm to conduct investigations. 

“The findings so far show that the incident was a random and opportunistic attack on the file server. Also, based on the investigation findings of the cybersecurity firm, while the information in the affected server was encrypted, there is no evidence that it has been copied or exported, hence there is a low likelihood of a data leak.”

The affected file server has since been decommissioned from use and the institute’s main student registry remains intact and unaffected, it added.

Both companies have informed the Personal Data Protection Commission and the Singapore Computer Emergency Response Team of the incidents, they said. They are also informing all affected individuals.

Mindef said in its statement that the ministry and the SAF take a serious view on the secure handling of personal data by their vendors. 

“The security of their IT systems is an important factor that will be taken into account in the award of contracts. Mindef/SAF is also engaging other vendors who hold information of Mindef/SAF personnel to strengthen the security of their IT systems,” it added. 

Defence Cyber Chief Brigadier-General Mark Tan said that although Mindef and SAF’s systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of their personnel’s personal data. 

“We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel’s personal data and information.”

ST Logistics chief executive officer Loganathan Ramasamy said that the company is committed to ensuring that all personal data in the company’s possession is treated with “high standards of integrity”.

“We apologise sincerely for this incident and we owe this to our customers and stakeholders to ensure their personal data is robustly protected,” he said.

HMI Institute executive director Tee Soo Kong said the institute has put in place additional measures to fortify its systems against increasingly sophisticated cyber intrusions

“We take this incident very seriously and we deeply apologise to the students and applicants affected for the inconvenience caused. Preserving their privacy and keeping their personal data safe are our highest priority,” he added.