MCI's response to PQ on Singapore Red Cross Data Breach Incident

08 JUL 2019

Parliament Sitting on 8 July 2019

QUESTION FOR WRITTEN ANSWER

19. Miss Cheng Li Hui: To ask the Minister for Communications and Information (a) whether he can provide an update on the investigation into the hacking of the Singapore Red Cross website; (b) whether it is mandatory for VWOs and NGOs to comply with the IT security guidelines established by the Government; and (c) whether there are plans to equip VWOs and NGOs with the capability to establish resilient IT security frameworks to safeguard confidential data.

ANSWER:

  1. On 8 May 2019, the Police and the Personal Data Protection Commission (PDPC) were informed of a ransomware incident on the Singapore Red Cross’s (SRC) blood donor database. The database contained the details of about 4,300 donors who booked appointments to donate blood via SRC’s webpage, including their name, contact number and email address.

  2. According to SRC, its investigations have found that the perpetrator exploited a weak administrator password that left the webpage vulnerable to unauthorised access. Nevertheless, investigations by the Police and the PDPC are ongoing.

  3. VWOs such as SRC are non-governmental organisations (NGOs) that provide services that benefit the community, and hold data about donors, volunteers and beneficiaries. It is therefore important that NGOs put in place the necessary data protection and cybersecurity safeguards to maintain the confidentiality of such data.

  4. While NGOs do not need to comply with Government IT security guidelines, there are national- and sector-level frameworks and resources to assist them in enhancing the protection of their systems and data.

  5. At the national-level, all private sector organisations, including NGOs, are subject to requirements under the Personal Data Protection Act. The PDPC also provides such organisations with guidelines and guides on how to comply with their data protection obligations. Examples include the guides issued by the PDPC and the Cyber Security Agency of Singapore (CSA) to assist organisations in securing personal data on electronic medium and managing data breaches.

  6. To help organisations including NGOs improve their cybersecurity posture, CSA enhances cybersecurity awareness and promotes good cybersecurity practices through channels such as the GoSafeOnline portal (www.csa.gov.sg/gosafeonline) and the Singapore Computer Emergency Response Team’s (SingCERT’s) portal (www.csa.gov.sg/singcert).

  7. At the VWO sector-level, agencies such as the Ministry of Social and Family Development (MSF) and the Office of the Commissioner of the Charities (COC) play an important role in building up capabilities among VWOs, to protect confidential data and mitigate cybersecurity risks. For example, some VWOs that administer programmes that are funded by MSF use an integrated case management system that protects clients’ data in accordance to Government IT security policies; while COC is working with potential partners to provide subsidised IT security audit services for charities, including VWOs.

  8. The Government is committed to help NGOs such as VWOs establish resilient IT security frameworks to safeguard confidential data. NGOs and their senior leadership must also play their part to ensure that the risks in relation to data protection and cybersecurity are adequately addressed. This is necessary so that they can continue to uphold the high level of trust and confidence that their stakeholders have placed in them.