• All blog entries
    • Calculators
    • Case studies
    • Cost of living
    • CPF Are You Ready?
    • CPF Matters
    • Credit Management
    • e-Learning
    • Estate Planning
    • Events
    • Financial advisers
    • High Networth
    • Insurance
    • Investments
    • Letters to the Press
    • Magazines
    • Others
    • Retirement Planning
    • Scams
    • Surveys
    • Tragic Stories
    • Unethical sales process
    • Videos
  • Legal
  • Testimonies
    • Individual testimonies
    • Gallery
  • My Account
Hi, looking for a fee-based financial planner in Singapore? Read this article now!
  • Home
  • About
    • About Wilfred Ling
    • Why do you run your own professional financial planning practice?
  • FAQs
    • FAQs on Wilfred Ling’s Financial Services
    • FAQs on Financial Planning
    • FAQs on Investments
    • FAQs on Insurance
    • FAQs on Estate Planning
  • Services
    • Overview
    • Create a financially secure plan for your young family (package details)
    • Retirement Planning
    • Investment Portfolio Management
    • Insurance Planning
  • Fees
  • Cool Tools
  • Contact
  • Subscribe
You are here: Home / Others / SingHealth breach: what does it mean to lose your data

SingHealth breach: what does it mean to lose your data

21, July 2018 by Wilfred Ling 4 Comments

By now everybody would have read in the news that 1.5 million SingHealth’s patients’ information were stolen. Singapore has a population of 5.79 million. So 26% of the population got their personal particulars stolen. Majority of the data stolen from the SingHealth breach were names, NRIC number, date of birth, address, gender and race. A smaller number consisting of 160,000 had their prescription records stolen. Victims included Prime Minister Lee, ESM Goh Chok Tong and other undisclosed ministers.

My data was stolen. Most of my family members' data were stolen too. To be frank, I am really disappointed with the government. As a person who works in the finance industry, the importance of protecting customers’ information has always being emphasised. In fact, I think the finance industry can be too obsessed with PDPA.

The irony is that ‘public agencies’ are not even governed by the PDPA (see https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview ) and I assumed ‘public agency’ means government.  That means the government cannot be sued under the PDPA. Great.

So, what are the implications if your data is leaked? And, how can you take precaution?

#1 Blackmailing

If you have an illness which you do not wish to let others know, you could be blackmail. For example:

  1. You are a commercial airline pilot who is suffering from a disease which will render you unfit to fly a plane.
  2. You suffer from schizophrenia but does not want your employer to know for fear of losing your job.
  3. You suffer from AIDS/HIV and would incur reputation risk if this become public knowledge.

To be frank, most people will not need to worry about blackmailing as most people’s illnesses are just common illnesses like diabetes, hypertension, high cholesterol and common flu.

#2 Fabrication of NRIC card

A person can now fabricate an NRIC card since the full name, NRIC number, date of birth, race and addresses are already known. An NRIC card has an issue date but this issue date is almost never used. The photo of the NRIC can be that of the imposter or some random young person photos downloaded from the internet.

#3 Get Free Handphone and Mobile Number

With the fabricated NRIC, the imposter can get a phone and mobile number for free by signing for a contract. Telephone companies will find it hard to detect such fraud cases because (a) benefit of doubt is always given if the photo in the NRIC card is different from the person especially if the photo was taken long ago (b) For existing clients, the fake NRIC card contains details that are identical to those of existing records.

#4 Borrow books from the national library for free using fake NRIC

Self-explanatory.

#5 Change address with financial institutions

With the fake NRIC, it is very easy to change the address of a person. This means future banking correspondence will no longer be sent to the individual. When the address is altered, usually the financial institution will send a notification of change of address to the old address as well. However, if a person seldom opens his or her letter box, the notification will not be read until it is too late.

#6 Request for new password

By requesting for new internet banking password, there is no longer a need for a hacker to guess the password because it will be sent to the altered physical address.

#7 Change SMS OTP  / Token

Some financial institutions require the change of SMS OTP by filling up a form. If the address on record has already been altered, the change of SMS OTP (to the mobile number that was fraudulently purchased) will be made without the individual actually knowing it since any correspondence will be sent to the changed address.

Same procedure for issuing a new token.

#8 Full access to financial details

With the userid, password and token, a hacker can now have full access to the banking details and see everything.

#9 Transfer of money out

With the userid, password and token, a hacker can now transfer money out. Any SMS messages sent would be to the mobile number that was already changed to that of the hacker.

#10 Sign up for credit/debit card

With the full personal details that was already stolen and using the fake NRIC and fake income tax statement, it is possible to apply for credit or debit card. Any correspondence and the credit/debit card itself will be sent to the address that was already altered.

#11 Overseas purchases using credit / debit card

With the credit card, the hacker can buy many things overseas. If using debit card, it is effectively making withdrawals from the bank accounts. Of course, if the bank detects any unusual activities, they would call the card user. But if the mobile number record in the bank has already being altered, the imposter is the one who picks up the phone and will be able to answer any questions since he knows everything about the card holder. Usually banks authenticate the customer by asking for their personal particulars.

#12 Plishing mails

A criminal could send letters pretending to be from reputable companies or government institutions. Such letters will look genuine especially it contains personal information that are accurate.

#13 Intrusion into property to commit further crimes

A criminal could send phishing mails to an individual so as to grant access to the property. I do not need to describe how this can be done.

#14 Borrow money from ah-longs (loansharks)

Anyone can now borrow money from ah-longs by providing the fake NRIC. I doubt ah-longs would know the difference between the fake NRIC and the real one after all the details are all correct except the photo.

#15 Surrender insurance policies

It may be possible to surrender policies and get the cheque on the same day. If the cheque is deposited to a bank account that has already being taken over by the criminal, that means the proceeds of the insurance policies will be stolen.

What can you do about it

Since your data has already been stolen, it cannot be undone. But here are some precautions you can do:

  1. Get yourself out of the situation of being blackmail. For example, by finding a job that will accept your medical conditions. Of course, this is easier said than done.
  2. Report the lost of NRIC to the National Library. They will disable borrowing books using NRIC number and issue you with a card with a unique library number for future borrowings.
  3. Use some difficult-to-guess long passwords such as hmwAjyf3D$6sQY6ug?4_sQ#.
  4. Regularly read your physical mails to check whether your address or mobile number was changed.
  5. Regularly check your banking statements for any fraudulent transactions.
  6. Do not believe in every email or physical mails you receive. Assume it is fake until proven otherwise. This is the hardest to do.
  7. Do not let anyone into the house unless you have a bodyguard – even if it is the AVA inspecting for mosquitoes breeding because the letter you receive from AVA for the inspection could be fake (i.e. plishing). Even the AVA inspectors’ identification cards could be fake.
  8. Move house to avoid the situation of loansharks burning your door.
  9. Call the insurance companies everyday until the policies' maturities to check whether your policies have been terminated.

In 1995, I watched a movie called “The Net” whose lead actress was Sandra Bullock. She worked from home and accessed her company’s office information using the Internet. But she seldom interacts with others in real life. None of her colleagues ever met her. She ordered her meals through delivery and her neighbours seldom see her. One day, she found that she could not login to everything due to cyberhacking and her house was even sold. An impostor took over her life by impersonating her. She could not proof her identity because hardly anyone knows her in person.

When I watched that movie that many years ago, it sounded quite futuristic but ridiculous. In 1995, the usage of Internet was uncommon and limited to universities.  The thought of any individual able to work from home by using the Internet was far fetch. Moreover, cyber hacking was totally unheard of.  These days, working from home, ordering meals online and threat of cyber hacking activities have become part and parcel of our lives.

Conclusions

Will 26% of Singapore’s population personal particulars be found on the Internet? Perhaps there is no longer need to do KYC because everybody’s information will become available on the Internet anyway.

I wrote this article to demonstrate how serious this data breach. I am also dismal by the fact that the government has $0 liability for the breach since they are not govern by the Personal Data Protection Act. So they cannot be sued under the PDPA. What happens if an individual bank account is emptied out? It will not be fair for the bank to assume liability. It has to be the government who will have to compensate for the lost. What happens if a loanshark burns down the door resulting in death? Can someone in the government body support his dependents? The worst part of it is that this episode of data leak will be long forgotten after many years and this generation of government could have changed but the threat of identity theft remains with all of us for the rest of our lives.

Like this article? Subscribe to my newsletter below for more.

Get regular Tips on Financial Planning. Free subscription for 3 years. Covers all aspect of financial planning such as 'How much salary you should have?', 'How to avoid insurance that is not suitable?", 'What are the retirement planning methods?", etc

Share this:

  • Tweet
  • Print

Related

Filed Under: Others

Comments

  1. ambidextrous says

    22, July 2018 at 1:05 pm

    I am foreseeing second tier of scammers impersonating public agencies’ personnel arriving at victims’ residences with authentic personnel information with charge sheets and demand notices etc and offer quick resolutions with a trip to the atms.

    this ruse will aim at the elderly especially since the dates of birth are stolen

    Reply
  2. synonymous with pdpa says

    24, July 2018 at 8:43 am

    SingHealth is subjected to PDPA as it is not classified as public agency.

    Reply
    • Wilfred Ling says

      24, July 2018 at 10:28 am

      Confirm? Link?

      Reply
  3. xyz says

    24, July 2018 at 6:36 pm

    Hahaha the people get what they voted for, can’t complain lah.

    Singhealth is a pte ltd corporate body whose majority (only?) shareholder is MOH Holdings, which in turn is another pte ltd corporate body whose majority / only shareholder is MOH / Minister for Health.

    Govt but yet not govt lorr.

    Reply

What do you think? Leave a comment. Cancel reply


WILFRED LING, CFA

WANT TO GET REGULAR TIPS ON FINANCIAL PLANNING?

JOIN with thousands of other subscribers in getting tips on all aspect of financial planning such as "What is the minimum salary required?", "How avoid insurance that is not suitable", etc.


WILFRED LING IN THE NEWS

Click HERE to find out more.


THE KIND OF CLIENTS I AM LOOKING FOR

NEW TO US?

Learn how you can fully benefit from this massive website: HERE

For Registered Users Only (free)

  • Webinar on 7 Real Stories To Achieve Your Financial Freedom 6/6/2023
  • Webinar on Major change in cancer treatments in your integrated shield plans 3/9/2022
  • How and what to invest now? (Webinar) 28/7/2022
  • How to identify high performing unit trusts in 3 steps (Webinar) 3/9/2021
  • Financial Planning – Christian Perspective Part 2 (Webinar) 14/8/2021

View All

For Clients Only

  • Video Message to Clients 30/12/2021
  • Exclusive client-only Investment Update Webinar by Wilfred 26/11/2021
  • JPMorgan Guide to Market Q2 2020 15/4/2020
  • JPMorgan Perspective Q2 2020 15/4/2020
  • JPMorgan Guide to Market Q1 2020 5/2/2020

View All

Recent comments

  • Dipokdas on Travel Without Financial Worries: 3 Tips to Achieve Financial Independence (Sydney)
  • Nay Nay on Is PruSelect Vantage plan a good or bad product?
  • Basil on Question on Manulife InvestReady
  • mah weng kong on Is PruSelect Vantage plan a good or bad product?
  • Rafi on Wilfred Ling’s Story, the beginning
  • ECE7 on Wilfred Ling’s Story, the beginning

To be notified of new blog post, like this facebook page

To be notified of new blog post, like this facebook page

Read articles based on different categories

Chartered Financial Analyst

CFA

Chartered Financial Consultant

ChFC

Featured Blogger

IM$avvy

© Copyright 2006-2025 Wilfred Ling

This advertisement or publication has not been reviewed by the Monetary Authority of Singapore

hollow-nasty
hollow-nasty
hollow-nasty
hollow-nasty