We refer to the malware incidents involving HMI Institute of Health Sciences Pte Ltd (HMI Institute) and ST Logistics Pte Ltd (ST Logistics)^[1] which affected their systems containing personal data of Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) personnel.

HMI Institute is contracted by the SAF to conduct cardiopulmonary resuscitation and automated external defibrillator training for MINDEF/SAF personnel since 2016. ST Logistics is contracted to provide logistics services such as eMart retail and equipping services since 1999. Both vendors were provided with personal data of MINDEF/SAF personnel needed for the provision of their operations.

MINDEF and the SAF are working with the two vendors to investigate the impact of the malware incidents and the potential disclosure of personal data. For the HMI Institute incident, their affected system contained personal data of 120,000 individuals. This includes the full names and NRIC numbers of about 98,000 MINDEF/SAF personnel, as well as full names, NRIC numbers, contact numbers, email addresses, dates of birth and residential addresses of other HMI Institute customers. Preliminary investigations indicate that the likelihood of data leak to external parties is low.

For the ST Logistics incident, their affected systems contained full names and NRIC numbers, and a combination of contact numbers, email addresses or residential addresses of about 2,400 MINDEF/SAF personnel. Preliminary investigations indicate that the personal data could have been leaked.

Companies are required under the Personal Data Protection Act (PDPA) to protect the personal data of its clients, in addition to specific requirements they are expected to uphold in the contracts they sign. Both HMI Institute and ST Logistics have reported the incidents to the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT). PDPC is conducting investigations into both cases.

MINDEF and the SAF take a serious view on the secure handling of personal data by our vendors. The security of their IT systems is an important factor that will be taken into account in the award of contracts. MINDEF/SAF is also engaging other vendors who hold information of MINDEF/SAF personnel to strengthen the security of their IT systems. In response to the malware incidents, Defence Cyber Chief Brigadier-General Mark Tan said, "The malware incidents affected the IT systems of our vendors. Although MINDEF/SAF's systems and operations were not affected, the malware incidents in these vendor companies may have compromised the confidentiality of our personnel's personal data. We will review the cybersecurity standards of our vendors to ensure that they are able to protect our personnel's personal data and information."

Affected MINDEF/SAF personnel are being notified from 21 December 2019 onwards.