With as many as 1.5 million people affected in Singapore’s worst cyber attack yet, the headlines on the data theft at healthcare provider SingHealth are always going to be about the numbers.
Or the fact that Prime Minister Lee Hsien Loong, along with several unnamed ministers, were the target of this likely state-sponsored attack.
Yet, what is of deeper concern are the unknowns and the fallout that may come only in the months or even years ahead. In other words, the worst is not over.
It should come as no surprise that Singapore, one of the most connected countries, is now the victim of a large-scale attack aimed at destabilising critical infrastructure and services.
Last year, Malaysia faced its largest attack when 46 million mobile users’ personal data was stolen from the country’s telecom operators.
Even the hackers themselves – the United States’ National Security Agency – were hacked. The tools they used were exposed, leading to widespread ransomware attacks around the world last year.
If there is an upside to yesterday’s revelations in Singapore, it is that the most sensitive information, such as doctors’ notes or test results, were not stolen or tampered with.
Unfortunately, what was taken – and will likely be exposed on online criminal networks – is the outpatient prescription data of 160,000 patients, including the prime minister himself.
This means anyone who had that data could make a good guess at what illnesses the victims were suffering from. Theoretically, this could be used for blackmail or to embarrass.
Yesterday, Lee was swift to say that there was nothing alarming about his data. He wondered if the hackers, an organised and sophisticated group, may be out to get at some “dark state secret”.
But that may not be the only or main goal of the attack. In terms of disrupting the country’s efforts at digitisation, the hackers have succeeded – at least temporarily.
Yesterday, the health ministry said Singapore was pausing the mandatory sharing of medical records among healthcare providers here under the National Electronic Health Record (NEHR) project.
The attack will also throw a spanner in the works for Singapore’s smart nation ambitions. By casting doubt in citizens’ minds, it will make it harder for the government to push ahead with new services that will make life easier and more convenient.
Who would plot and launch such an attack against Singapore? The prime minister did not name any country or group responsible for the attack, which is sensible given that investigations are now ongoing with a commission set up for it.
Singapore, often seen as a neutral party in international disputes, does not have adversaries that would easily fit on a suspects list. This attack, however, constitutes a threat that is unlike any the Republic has faced before.
Though it has warded off such threats daily in the past few years, it now faces the uneasy decision to name the party responsible for this attack in the coming months, even if it is a nation state.
Perhaps more worrying is the fallout for the 1.5 million users who had their personal particulars stolen. They now face a more serious threat.
Their names, IC numbers, birth dates and addresses can now be used to extract more data or even to siphon money out of bank accounts. Hackers, after all, know who their next victims are. They can customise their attacks.
In the coming months, expect more “phishing” e-mails, for example, warning you to change your passwords by clicking on a malicious link.
If you unwittingly do so, you could open up your computer or phone, enabling hackers to lock it up with ransomware or get access to your bank accounts.
Hackers can also sell your data to spammers to send you irritating offers to bet on football or borrow money from loansharks.
In other words, the widespread impact from the worst data breach in Singapore may only be felt in the months ahead. And it won’t be the last such incident.
This is the risk that each citizen now bears, simply by going to the doctor, paying a fine or applying for a flat.
Other than looking to the authorities and companies to better safeguard their data and staying vigilant themselves, there is little else they can do to reduce their exposure.
There is simply no going back to paper records or having a doctor scribble notes on them.