A cyber attack which resulted in the theft of the personal data of 854 national servicemen and Ministry of Defence (Mindef) employees occurred weeks before it was detected on Feb 1, Second Defence Minister Ong Ye Kung revealed in Parliament on Monday (April 3).
The attack is still being investigated, and findings will be “kept confidential for security reasons”, said Mr Ong, who was responding to questions from Members of Parliament (MPs) on the breach of the I-net system, which was made public on Feb 28.
The system provides Internet access to national servicemen as well as employees from Mindef and the Singapore Armed Forces (SAF).
Noting that the hackers’ “modus operandi was consistent with a covert attack”, Mr Ong nevertheless said that if the perpetrators were found to be based in Singapore, “we will make sure we take them through the process of law”.
Mindef had previously said that classified military information was not compromised, as this was stored on a separate and more secure system which is not connected to the World Wide Web. However, the personal data of I-net account holders comprising NRIC numbers, telephone numbers, and dates of birth were stolen.
The information was “basic” and could not be used to conduct further hacking attempts, Mr Ong said in response to a question from Non-Constituency MP Dennis Tan.
Mr Ong noted that on a daily basis, Mindef and the SAF experience “hundreds of thousands of cyber intrusion attempts ranging from simple probes to sophisticated cyber espionage efforts”.
Citing industry reports, he said it takes an average of about 150 days, or around five months, before a breach is discovered in any computer system.
For example, the hacking into the United States Government’s Office of Personnel Management began in November 2013, but was only discovered in March 2014. This breach resulted in the loss of up to 18 million personal data records, Mr Ong noted.
“More recently, hackers breached the email servers of the Democratic National Committee in mid-2015, and this was detected only in April 2016, almost a year later and by which time, all of their emails and chats had been stolen,” he added.
He reiterated that Mindef adopts a “multi-layered, risk-based approach to cyber defence which balances between connectivity and speed on one hand, and security on the other”, with systems that contain sensitive military information physically separated from the Internet, and protected by access controls and encryption.
Mindef and the SAF will enhance their defence against cyber attacks by developing better assessment tools, data analytics and content-scanning engines.
The storage of personal data on their Internet systems will also be reviewed to minimise risks of cyber theft, Mr Ong said. Nevertheless, he stressed that the “weakest link” in the defence against cyber attacks “is often the human factor”.
He added: “We can have the most sophisticated … cyber defence system, but if you don’t have the discipline … and you plug your external device into your office network, it will infect (the whole network).”