A breach into an Internet system such as that of the Defence Ministry (Mindef) would require some level of sophistication, cyber security experts told TODAY, adding that it may even have been a hit conducted by state-sponsored entities from other countries.
They also pointed out that no matter how robust any IT system is, it would be susceptible to attempted hacking.
Yesterday, Mindef revealed that a breach in its Internet access system in early February led to personal data being stolen. These included identity-card numbers, telephone numbers, and dates of births of around 850 servicemen and employees.
Experts such as Dr Steven Wong, president of the Association of Information Security Professionals, and Mr Nick Savvides, security advocate for Symantec Asia-Pacific and Japan, said that they are not ruling out the possibility that the incident involved state-sponsored entities.
Dr Wong said that historically, state-sponsored entities have committed data breaches, such as the apparent data hack on the United States government by the Russians.
Mr Savvides agreed: “Considering the high profile of the victim involved in this cyber breach and level of sophistication involved, attacks of this level generally involve state-sponsored actors or highly skilled politically motived hacker groups.”
Dr Wong also said that since it was a well-targeted and carefully thought-out breach, it appears that there was a reconnaissance phase, where the hacker had monitored Mindef’s IT systems for a long time to find and take advantage of a point of exploitation.
“No systems are 100-per-cent secure, so it’s just a matter of time before something like that would happen.”
Mr Anthony Lim, director of computing security association Cloud Security Alliance, cautioned that one implication of the attack would be that it might set “a precedent for other attempts to try to breach the systems”.
Mr Sanjay Aurora, managing director (Asia-Pacific) of cyber security firm Darktrace, said this also means that there would be more pressure for Singaporean organisations to adopt artificial intelligence to respond to these inevitable threats.
One “pressing issue” now, Dr Wong said, would be to get the affected personnel to practise “good digital hygiene”, including resetting their passwords and reporting any suspicious activity related to the use of their personal information.
Failing which, there could be “a multiplier effect”, where each of the 850 personnel are “seeds for a potential (further) breach” that may affect even more people.
Mr Phil Trainor, the Asia-Pacific head of security business from cyber security firm Ixia, said: “The most salient fact remains that Mindef implemented proper network segmentation (separated systems for classified information) and kept the most critical information safe.”