Personal information of over 800,000 blood donors was accessible online for 2 months: HSA

Felicia Choo reports:

The personal information of more than 800,000 people who have donated or tried to donate blood in Singapore since 1986 was improperly put online by a Health Sciences Authority (HSA) vendor for more than two months, but access to the database was cut off soon after the discovery.

Disclosing this in a statement on Friday (March 15), the HSA said its preliminary findings indicate that there was only one instance of external access – by a cyber security expert who discovered the vulnerability on Tuesday (March 12) and alerted the Personal Data Protection Commission to it a day later.

Read more on Straits Times.

The vendor was identified in HSA’s press release as Secur Solutions Group Pte Ltd (SSG). According to the press release:

HSA had provided the data to SSG for updating and testing. SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access. It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA.

Related:  Notice to those affected.

Kudos to the researcher who engaged in responsible disclosure. At the time of this posting, I’m not sure who that was.

About the author: Dissent

Comments are closed.