What is the issue - An unprotected database that contained private data of 808,201 Singaporean blood donors who registered to donate blood since 1986 was found publicly accessible over the internet.
What was exposed - The exposed information includes blood donors’ names, genders, blood groups, heights, weights, NRIC numbers, number of blood donations, and the dates of the last three blood donations. However, the leaky database did not contain any sensitive information such as medical information or contact details.
The big picture
Singapore Health Sciences Authority (HSA) learned about the leaky database on March 13, 2019, from a security expert. The database is managed by a vendor named Secur Solutions Group Pte Ltd (SSG) that provides services to HSA and handles the registration-related information of 808,201 blood donors.
Worth noting - HSA revealed that SSG has stored the information in an internet facing server on January 4, 2019, and failed to secure it with appropriate authentication. HSA noted that this was done without HSA’s approval.
“SSG had placed the information we provided them on an unsecured database in an internet-facing server on 4 Jan 2019 and failed to put in place adequate safeguards to prevent unauthorized access. This was done without HSA’s knowledge and approval, and was contrary to its contractual obligations with HSA,” HSA said in a statement.
“We sincerely apologize to our blood donors for this lapse by our vendor. HSA treats donor data confidentiality very seriously. We would like to assure donors that HSA's centralized blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” HSA concluded.