Data Breach of Singapore’s Ministry of Defence

By MDL on March 6, 2017

Singapore’s Ministry of Defence (MINDEF) detected a data breach in their I-net system that allowed the “basic personal data” of 850 national servicemen and MINDEF employees to be stolen.

What happened: The MINDEF I-net system provides internet access to computer terminals within the Ministry of Defense and in Singapore Armed Forces (SAF) camps. The terminals are used by national servicemen and MINDEF staff use for personal communication and web surfing. The personal data taken includes NRIC numbers (national ID numbers), telephone numbers, and dates of birth. According to an article in the Straits Times, David Koh, MINDEF’s Deputy Secretary of Technology insisted that “classified and military data, and internal email applications reside in a different system that is not connected to the Internet.”

Mitigation Efforts: MINDEF’s press release states that “Upon detection, MINDEF disconnected the affected server from I-net. Immediate and detailed forensic investigations were conducted on the entire I-net to determine the extent of the breach.”

Response of Organization: MINDEF announced the data breach in an official press release on February 28th, but according to the statement, the breach occurred earlier in the month. MINDEF says that they delayed announcing the breach to allow forensics investigators to conduct their investigation before a public announcement. The press release states that “as a precaution even though no breach had been detected, all other computer systems within MINDEF/SAF are also being investigated.” It goes on to say that affected personnel will be notified within the week and will be advised to change their passwords and report any unusual activity. The MINDEF policy requiring that classified and non-classified information must be on restricted to separate networks helped lessen the impact of the data breach.

Attribution: The Straits Times article quotes Koh as saying “the attack did not come from camps or internal systems. Neither was it the work of casual hackers or criminal gangs.” This statement suggests that he suspects state-sponsored actors but declines to name any specific country.


Sources: Singapore MINDEF, Breach in MINDEF’s I-net System. ZDNet, Singapore defense ministry suffers data breach affecting 850 users. Straits Times, Hackers steal data of 850 NSmen and Mindef staff