Personal data of more than 4,000 people compromised after Singapore Red Cross hack
SRC said it was alerted last Wednesday by its web developer to an incident of unauthorised access to the part of its website which supports the recruitment of interested blood doners.
Members of the public can indicate their interest in donating blood through the website, and SRC then makes the appointments on their behalf.
“The following information of 4,297 individuals who had registered their interest on the website was compromised: Name, contact number, email, declared blood type, preferred appointment date/time and preferred location for blood donations,” said SRC, adding that no other information was affected.
It said its other databases were not compromised, and the Health Sciences Authority’s (HSA) systems were also unaffected by the incident.
The organisation made a police report the same day. It also reported the incident to the Personal Data Protection Commission and HSA. Police investigations are ongoing, it added.
A weak administrator password could have left the website vulnerable, said SRC, adding that investigations to determine how the incident happened are ongoing.
“There were measures in place to guard against unauthorised access of the website,” it said. “While our investigations to determine the nature of the unauthorised access are ongoing, our preliminary findings show that a weak administrator password could have left the website vulnerable to the unauthorised access.”
It said that it had disconnected the website from Internet access, and replaced it with a temporary webpage with links to relevant websites as a precaution.
The website will only be reinstated when all security checks have been completed, added SRC.
External consultants have been engaged to carry out forensic investigations and determine the “exact factors” that allowed the unauthorised access, it said.
These findings and recommended measures will be reported to the SRC Council (Board) and SRC will take necessary action to strengthen its security measures, together with the advice of the organisation’s IT advisory panel.
“Our immediate priority is to ensure affected individuals and partners are notified, while working with the relevant parties to restore and strengthen our IT systems, safeguard our data, and mitigate any future risks,” said SRC’s Secretary General and Chief Executive Officer Benjamin William.
“SRC has started to contact affected individuals. We apologise to the users of our website whose information may have been affected by this incident.”