SINGAPORE, May 16 — The website of the Singapore Red Cross (SRC) was hacked, which led to a leak of the personal data of 4,297 people who had registered their interest to make a blood donation with the national blood donor recruiter.
In a media statement today, the SRC said that its web developer alerted it last Wednesday to an incident of unauthorised access to a part of its website that supports the recruitment of interested blood donors.
A police report was made on the same day and investigations are ongoing.
SRC is also investigating the matter to determine how the incident could have happened, and preliminary findings showed that a weak administrator password could have left the website vulnerable to the unauthorised access, it said.
As a precaution, SRC has disconnected the website from Internet access, and replaced it with a temporary webpage with links to relevant websites.
Its website will be reinstated only when all security checks have been completed, it said.
The affected individuals had given their name, contact number, email, declared blood type, preferred appointment date and time, and preferred location for blood donations when they indicated their interest to make a donation.
Members of the public typically indicate their interest in donating blood through the website, and SRC’s staff members will then manually make appointments on their behalf with the various blood banks and blood mobiles based on their preferred dates and times.
No other information was leaked, and SRC’s other databases were not compromised, the non-profit organisation stressed.
The Personal Data Protection Commission and the Health Sciences Authority (HSA), which appointed SRC as national blood donor recruiter, were notified last Wednesday.
HSA’s systems are similarly unaffected by this incident, SRC said.
It added: “SRC takes this incident seriously. External consultants have been engaged to conduct forensic investigations to determine the exact factors that allowed the unauthorised access to the website.
“The findings and measures to be taken will be reported to the SRC Council (Board) and together with the advice of our IT advisory panel and consultants, we will take necessary action to strengthen our IT security measures.”
SRC’s secretary-general Benjamin William said: “Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks.
“SRC has started to contact affected individuals. We apologise to the users of our website whose information may have been affected by this incident.” — TODAY