Mr Png Eng Huat: To ask the Minister for Defence with regard to the personal data leak affecting 2,400 MINDEF and SAF personnel (a) when did ST Logistics first discover the phishing attack; and (b) when did MINDEF come to know about the leak.

Ms Rahayu Mahzam: To ask the Minister for Defence (a) what is the assessment on the impact of the data leak which occurred at ST Logistics and the ransomware attack on HMI Institute of Health Sciences to confidential operations of MINDEF and SAF; and (b) what is the follow-up action that is in place following the two incidents.

Minister for Defence, Dr Ng Eng Hen:

On 10 October 2019, MINDEF discovered that emails received from ST Logistics contained malware, and alerted their management, whereupon ST Logistics as a first precautionary move blocked outgoing data and emails possibly affected by the malware. The company's IT team and external support teams then carried out forensic investigations to provide MINDEF with the affected data for an impact assessment. It was established on 13 December 2019 that personal data of 2,400 MINDEF/SAF personnel could have been leaked. The affected personnel were notified from 21 December 2019.

In the second incident, HMI Institute discovered a malware infection in one backup server on 4 December 2019, and alerted MINDEF on 9 December 2019. With the help of a cybersecurity firm, HMI investigated the infection and ascertained the individuals from MINDEF/SAF and other organisations whose personal data were on the affected backup server. Although the likelihood of data leak to external parties was assessed to be low, the 98,000 MINDEF/SAF personnel were informed from 21 December 2019.

Both incidents were confined to the systems of the vendors, and did not affect MINDEF's own systems or result in the loss of classified military information.

MINDEF takes a serious view of these cases. We expect our vendors to protect all personal data that has been entrusted to them. Prior to these incidents, MINDEF had begun including personal data protection clauses in all new contracts involving personal data. We had also been working with vendors, including HMI Institute and ST Logistics, to progressively apply such clauses to existing contracts.

We will further strengthen oversight of our vendors. Taking reference from the recommendations of the Public Sector Data Security Review Committee (PSDSRC), we will implement a framework to ensure that vendors protect our data well. MINDEF will also implement a tiered cybersecurity framework to ensure that vendors handling more sensitive data are subject to more stringent cybersecurity standards, which may include regular audits. As the risks will continue to evolve, we will continually monitor developments and enhance our cyber and data security measures.