New measures to protect citizens' data will limit damage done by breaches: Experts

SINGAPORE - The 13 technical measures recommended by the Public Sector Data Security Review committee would have lessened the potential damage of recent data breaches and are indication that the Government is trying to boost confidence in its ability to safeguard data, said experts.

On Monday, a committee tasked with improving data management in the public sector unveiled the measures to better protect citizens' sensitive personal information, developed after a government-wide stock-take of practices and in-depth inspections of government agencies.

The Smart Nation and Digital Government Office (SNDGO) said one of the recommended measures from the Public Sector Data Security Review Committee is to have in place tokenisation or encryption, the act of replacing identifiers in data sets to something that only the relevant agency would know.

Such encryption would limit the scope of damage that can be done by hackers who access and steal data, experts told The Straits Times.

For instance, a breach reported by a Health Sciences Authority (HSA) vendor in March involving the personal information of more than 800,000 blood donors,could have been very damaging. Experts said that in the wrong hands, personal data could allow hackers to commit identity fraud, impersonate the people affected or even be used for blackmail.

An even more extensive breach occurred in June last year, when hackers got into the database of public healthcare cluster SingHealth, and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

Encryption adds levels of security to data, so that even if stolen, hackers would not be able to use the information, said Mr Tony Jarvis, Chief Technology Officer of Check Point Software Technologies.

 
 
 
 

Senior vice-president for products at cyber security firm RSA Grant Geyer added: "Even if someone could get in to the environment, encrypting the data could stop them. If sensitive data is encrypted, even if you steal it, it will not have a value if you are unable to understand it."

Experts also said that limiting the volume and time of data access and enhanced logging and active monitoring of data access would help curtail the volume of data that can be improperly accessed.

Mr Bryan Tan, a lawyer with Pinsent Masons MPillay who specialises in technology law and data protection, said this could have curbed the amount ofinformation gained by American Mikhy Farrera-Brochez, who leaked online in 2016 the confidential information of 14,200 people diagnosed with HIV.

Said Mr Tan: "Having such limits in place would mean that if a hacker does somehow manages to get in, there is a time limit. And if they are flagged when they start accessing a lot of data, the damage they do could be stopped or lessened too."

He said the announcement of the measures was a "trust building exercise", and represents a shift in how the government is communicating its workings to the public.

"Before this, the Government has seldom revealed what kind of internal measures it has. But given the circumstances, they are seeing that there is a need to be more open about how it protects citizens' data now."

In announcing the 13 technical steps and the concrete measures being taken, the Government is trying to instil confidence in its ability to handle data, said Singapore Management University law don Eugene Tan.

Said Prof Tan: "It would be imperative to boost public confidence in the way the public sector protects data, particularly because they possess and collect a lot of sensitive data.

"Coming after about three months after being formed, it shows that the committee is eager to get its work done, but it does beg the question why these measures weren't implemented earlier."