Retired Senior (now termed Chief) District Judge Richard Magnus to chair the COI

The cybersecurity attack on SingHealth’s IT system, resulting in the exfiltration of 1.5 million patients’ non-medical personal data and 160,000 patients’ dispensed medicines data, is the most serious breach of personal data that Singapore has experienced.

2 The Cyber Security Agency (CSA)’s investigations have established that the attack was deliberate, targeted and carefully planned. It was not the work of casual hackers or criminal gangs. Prime Minister Lee Hsien Loong’s personal particulars and outpatient medication data were specifically and repeatedly targeted.

Committee of Inquiry

3 This incident has serious public health and safety implications. Therefore, the Minister-in-Charge of Cybersecurity, Mr S Iswaran, will convene a Committee of Inquiry (COI) under Section 9 of the Inquiries Act (Cap 139A). Mr Richard Magnus, a retired Senior (now termed Chief) District Judge and member of the Public Service Commission, has agreed to chair the COI.

4 The COI will establish the events and contributory factors leading to the cybersecurity attack, and the incident response. It will also recommend measures to better manage and secure SingHealth’s and other public sector IT systems against similar cybersecurity attacks in future.

5 The COI’s composition and Terms of Reference will be announced at a later date.

Government to Take Immediate Actions to Strengthen IT Systems

6 Meanwhile, the Government will take immediate action to strengthen our IT systems against similar cybersecurity attacks. The Minister-in-Charge of Cybersecurity has directed CSA to work closely with all 11 key sectors1 to enhance the cybersecurity of their Critical Information Infrastructure systems.

7 The Smart Nation and Digital Government Group (SNDGG) has completed a scan of all government systems and found no evidence of compromise. SNDGG will pause the introduction of new ICT systems while it reviews the cybersecurity measures of government systems, and implements any additional security safeguards which are necessary.

Ensuring Cybersecurity in the Digital Age

8 While we will do our utmost to secure our IT systems from attack, unfortunately we cannot completely eliminate the risk of another cybersecurity attack. Every country is under threat, and the attackers are constantly developing new techniques and probing for fresh weaknesses in IT systems. However, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation. We must adapt ourselves to operate effectively and securely in the digital age, to deliver better public services, enhance our economic competitiveness, and create good jobs and opportunities for Singaporeans.

9 The Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases. We will learn from the experience of this deliberate and sophisticated cybersecurity attack, and implement measures to better secure our public sector IT systems and databases, and uphold public trust in our systems.

[1]Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.

MCI’s response to PQ on RuPauls' Drag Race show Parliament QAs Infocomm Media 15 Jan 19
Statement by Mr S iswaran, Minister-in-Charge of Cybersecurity, on the Government’s response to the report of the Committee of Inquiry into the cyber attack on SingHealth, during Parliamentary Sitting on 15 January 2019 Parliament QAs, Speeches Cyber Security, Personal Data 15 Jan 19
MCI’s response to PQ on measures to protect personal data of Facebook users Parliament QAs Personal Data 14 Jan 19
MCI’s response to PQ on telco operators’ call centres Parliament QAs Infocomm Media 14 Jan 19
Speech by Mr S Iswaran, Minister for Communications and Information, at the opening of Library@HarbourFront on 12 Jan 2019 Speeches Libraries 12 Jan 19
Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database Press Releases Cyber Security 10 Jan 19