A breach in the Ministry of Defence’s (Mindef) Internet access system for servicemen and employees earlier this month led to personal data, comprising NRIC numbers, telephone numbers, and dates of births, of around 850 servicemen and employees being stolen.
No classified military information was stored on the hacked system.
The attack "appeared to be targeted and carefully planned”, said Mindef deputy secretary (technology) David Koh on Tuesday (Feb 28). The ministry added that the real purpose may have been to gain access to official secrets. But it was prevented from doing so by the physical separation of the hacked system from Mindef’s other internal systems.
Mindef said the attack, which was done remotely, was probably the work of “organised entities” and “not the work of casual hackers or criminal gangs”. On where the attackers may have originated from, the ministry added that it is still investigating and “would not speculate” on who the perpetrators are.
This is the first such a breach detected on the I-net system.
The I-net system provides internet access to national servicemen and Mindef employees for their personal communications, and allows them to surf the internet via dedicated I-net computer terminals in Mindef and Singapore Armed Forces (SAF) camps and premises.
There are thousands of such computer terminals in camps and premises across the island.
Mindef said the affected server was disconnected once the breach was detected, and “immediate and detailed forensic investigations” were conducted on the entire I-net system to determine the extent of the damage.
Even though no breach has been detected, all other computer and systems within the ministry and the SAF are also being investigated.
Classified military information is not stored on I-net computers, but is stored in a different computer system with more stringent security features. It is also not connected to the Internet, said Mindef.
Affected personnel would be contacted within the week, and will be advised to change their passwords for other systems if these use any of the stolen information.
The 850 personnel affected are a mixture of full-time national servicemen, regulars, as well as operationally ready national servicemen. The majority of affected users are regular servicemen. They do not come from a specific camp.
The Cyber Security Agency (CSA) and the Government Technology Agency of Singapore (GovTech) have also already been informed of the breach, and are investigating other government systems. No breaches have been detected so far.
On Tuesday, Mr Koh said: "Mindef is sorry for the inconvenience and potential harm that this cyber breach has caused."