Cybersecurity and Hackers Out For Blood

When a person donates blood, the donation center collects data from the people. This is recorded and retained. This is done throughout the planet. Singapore likewise is involved with this process. Early in 2019, blood donor’s data, located in a database, was breached. While this was broadcast across the globe within the first few weeks after, most people read the headline and the high level summary, and may not have dug into the details.

Vulnerability

The attack used was not excessively complex. There was an unsecured database that was available. Also, given the circumstances, this also was not likely encrypted. The database was located on an internet facing server. The clearly incorrectly configured, openly accessible server information was leaked on the internet for two months prior to this being reported. The data was exposed for nine weeks beginning January 4, 2019 as reported by the Health Sciences Authority (HSA). The HAS provided the data to the 3rd party organization, SecurSolutions Group, to update the database. This prominent issue was detected by a cybersecurity subject matter expert (SME).

The SME contacted Singapore’s Personal Data Protection Commission (PDPC) on March 13th. The HAS, once alerted to the issue, worked with SecurSolutions Group to disable access to the account. The HAS is working with the SME to delete the data. As a coincidence, the cybersecurity researcher was based outside of Singapore. One report stated it appeared there was no unauthorized access during the subject period to the database, while another stated the data was access by an unauthorized party and possibly exfiltrated.

Affected

There were 808,201 blood donors were affected with this negligent act. This exceptionally large number represented the blood donors since 1986, or to put this in perspective, the blood donors over the last 30+ years. The data possibly/probably accessed and exfiltrated included the names, NRIC, gender, number of blood donations, dates of the last three blood donations, and may have included the blood type, height, and weight. The odd coincidence with this instance was this was not the first time SSG (SecurSolutions Group Pte Lt.) noted its servers had been accessed by other unknown IP addresses.

Lessons Learned

This issue brings up so many areas of concern.

a) The data on the internet facing server. In general, they should have thought twice about this. While this occurs all the time across the globe, there are inherent issues, especially when this is not configured correctly. As this was the case, the data was not secured. There was nothing present to prevent any unauthorized access, as this was openly accessible.

b) You need to know the scope. The third party contactor posted the data on the server. This was done without HSA’s knowledge or approval. In review of the contract, this was not allowed. As with any agreement, the parties need to read the contract to know the scope of the project, and what may and may not be done.

c) SCM. The supply chain management is still not fully addressed as a part of cybersecurity. When data is entrusted to a third party, they really should be vetted well before the contract’s execution. Without properly addressing cybersecurity in the supply chain, the business is allowing for a massive mountain of problems. SSG clearly breached their contractual agreement. This is especially notable since the service provider’s (SSG) had been accessed by unknown IP addresses since late 2018. This was also not the first occurrence of an attack. In 2017, the same server was attacked. With the same server being targeted, was the 2017 excursion used in the recon process, instead of a one-time attack? Overall, the business needs to ask or require a 3rd party to assess your vendor’s security posture.

d) Database was not encrypted. Seemingly, if you are going to have this off premises, and accessible you might want to have some form of encryption on the data. If this database contained data not attributable to the persons and was a generic aggregation, that’s one case. This had confidential data for persons directly attributable to them.

In closing…

This certainly was not the first error in judgement and mostly certainly won’t be the last time this happens in the industry. These instances keep occurring across the globe. Somehow we need to publish not only the error but also the remediation methods so others do not keep perpetuating the idiocracy. Please pass this along. After a configuration, the admin should check the configuration to make sure it is within the industry’s norms and guidance. If it is not, the subject hardware should be reconfigured and retested. This isn’t quantum mechanics. Let stop the cycle of stupidity.

Resources

CAN. (2019, March 30). Blood donor data leak: HAS’s vendor says information that went online was accessed illegally and possibly extracted. Retrieved from https://www.channelnewsasia.com/news/singapore/personal-data-of-800-000-blood-donors-accessed-illegally-hsa-ssg-11395364

Choo, F. (2019, March 16). 800,000 blood donors’ data put online by HAS vendor. Retrieved from https://www.straitstimes.com/singapore/health/800000-blood-donors-data-pmt-online-by-hsa-vendor

Gatlan, S. (2019, March 15). Insecure database exposes 800,000 singapore blood donors. Retrieved from https://www.bleepingcomputer.com/news/security/insecure-database-exposes-800-000singapore-blood-donors/

Johnston, M. (2019, March 18). Personal data of 800,000 blood donors exposed in singapore. Retrieved from https://sg.channelasia.tech/artricle/6518921/personal-dta-800-000-blood-donors-exposed-singapore/

Paganini, P. (2019, March 16). Secur solutions group data leak exposes 800,000 singapore blood donors. Retrieved form https://securityaffairs.co/wordpress/82452/data-breach/secur-solutions-group-data-leak.html

Siew, A. (2019, March 19). More than 800,000 blood donors had personal data exposed, in latest leak in singapore. Retrieved from https://www.techgoondu.com/2019/03/19/more-than-800000-blood-donors-had-personal-data-exposed-in-latest-leak-in-singapore/

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.