SINGAPORE, March 16 — The personal data of more than 808,000 blood donors ended up on the internet in January — and was left there for nine weeks — by a vendor of the Health Sciences Authority (HSA), the authorities said yesterday.
The data was taken down two days ago and secured, after a cyber-security expert discovered the vulnerability and alerted the Personal Data Protection Commission.
HSA chief executive Mimi Choong said she was “deeply sorry” for the vendor's lapse and assured donors that the centralised blood bank system is not affected.
In total, 808,201 individuals’ personal data was compromised. They were visitors to HSA’s blood banks and include those who were unable to donate blood due to illnesses.
The data mishandled by its vendor, Secur Solutions Group, included information such as the names, identity card numbers, gender and dates of the last three blood donations. In some cases, it included the donors’ blood type, height and weight, the HSA said in a statement.
After being alerted, the HSA said it worked immediately with Secur to disable access to the database. It also made a police report.
Preliminary findings from a review of database logs show that only the cyber-security expert accessed the database. The HSA said investigations are ongoing.
The expert, who was not identified and is based overseas, has confirmed that he does not intend to disclose the database, said the HSA. The authority is in contact with the expert, who is not Singaporean, to delete the information.
How the incident happened
Secur was responsible for developing and maintaining the blood bank’s e-registration, re-booking, feedback and queue management systems.
In November or December last year, the HSA received feedback from donors that some information in the database was not up-to-date. The authority instructed Secur to update the database and provided it with the relevant data for “updating and testing”.
On January 4 this year, Secur placed the information on an unsecured database in an Internet-facing server. It failed to have adequate safeguards to prevent unauthorised access, and this was done without the HSA’s knowledge and approval.
The information was accessible only by those who have downloaded a database software; Web access required authorisation, the HSA added.
Red Cross urges people to continue donating blood
In a statement yesterday, Singapore Red Cross secretary-general and chief executive Benjamin William said it was unfortunate that donor information had been compromised.
He urged people to continue donating blood to hospital patients who need transfusions. Fourteen units of blood are used every hour in Singapore, said William. The Singapore Red Cross is Singapore’s national blood-donor recruiter.
Dr Choong said: “HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.”
Donors may go to the HSA’s website for more information. They may call 6220 0183 if they have further concerns. ― TODAY