By now everybody would have read in the news that 1.5 million SingHealth’s patients’ information were stolen. Singapore has a population of 5.79 million. So 26% of the population got their personal particulars stolen. Majority of the data stolen from the SingHealth breach were names, NRIC number, date of birth, address, gender and race. A smaller number consisting of 160,000 had their prescription records stolen. Victims included Prime Minister Lee, ESM Goh Chok Tong and other undisclosed ministers.
My data was stolen. Most of my family members' data were stolen too. To be frank, I am really disappointed with the government. As a person who works in the finance industry, the importance of protecting customers’ information has always being emphasised. In fact, I think the finance industry can be too obsessed with PDPA.
The irony is that ‘public agencies’ are not even governed by the PDPA (see https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview ) and I assumed ‘public agency’ means government. That means the government cannot be sued under the PDPA. Great.
So, what are the implications if your data is leaked? And, how can you take precaution?
#1 Blackmailing
If you have an illness which you do not wish to let others know, you could be blackmail. For example:
- You are a commercial airline pilot who is suffering from a disease which will render you unfit to fly a plane.
- You suffer from schizophrenia but does not want your employer to know for fear of losing your job.
- You suffer from AIDS/HIV and would incur reputation risk if this become public knowledge.
To be frank, most people will not need to worry about blackmailing as most people’s illnesses are just common illnesses like diabetes, hypertension, high cholesterol and common flu.
#2 Fabrication of NRIC card
A person can now fabricate an NRIC card since the full name, NRIC number, date of birth, race and addresses are already known. An NRIC card has an issue date but this issue date is almost never used. The photo of the NRIC can be that of the imposter or some random young person photos downloaded from the internet.
#3 Get Free Handphone and Mobile Number
With the fabricated NRIC, the imposter can get a phone and mobile number for free by signing for a contract. Telephone companies will find it hard to detect such fraud cases because (a) benefit of doubt is always given if the photo in the NRIC card is different from the person especially if the photo was taken long ago (b) For existing clients, the fake NRIC card contains details that are identical to those of existing records.
#4 Borrow books from the national library for free using fake NRIC
Self-explanatory.
#5 Change address with financial institutions
With the fake NRIC, it is very easy to change the address of a person. This means future banking correspondence will no longer be sent to the individual. When the address is altered, usually the financial institution will send a notification of change of address to the old address as well. However, if a person seldom opens his or her letter box, the notification will not be read until it is too late.
#6 Request for new password
By requesting for new internet banking password, there is no longer a need for a hacker to guess the password because it will be sent to the altered physical address.
#7 Change SMS OTP / Token
Some financial institutions require the change of SMS OTP by filling up a form. If the address on record has already been altered, the change of SMS OTP (to the mobile number that was fraudulently purchased) will be made without the individual actually knowing it since any correspondence will be sent to the changed address.
Same procedure for issuing a new token.
#8 Full access to financial details
With the userid, password and token, a hacker can now have full access to the banking details and see everything.
#9 Transfer of money out
With the userid, password and token, a hacker can now transfer money out. Any SMS messages sent would be to the mobile number that was already changed to that of the hacker.
#10 Sign up for credit/debit card
With the full personal details that was already stolen and using the fake NRIC and fake income tax statement, it is possible to apply for credit or debit card. Any correspondence and the credit/debit card itself will be sent to the address that was already altered.
#11 Overseas purchases using credit / debit card
With the credit card, the hacker can buy many things overseas. If using debit card, it is effectively making withdrawals from the bank accounts. Of course, if the bank detects any unusual activities, they would call the card user. But if the mobile number record in the bank has already being altered, the imposter is the one who picks up the phone and will be able to answer any questions since he knows everything about the card holder. Usually banks authenticate the customer by asking for their personal particulars.
#12 Plishing mails
A criminal could send letters pretending to be from reputable companies or government institutions. Such letters will look genuine especially it contains personal information that are accurate.
#13 Intrusion into property to commit further crimes
A criminal could send phishing mails to an individual so as to grant access to the property. I do not need to describe how this can be done.
#14 Borrow money from ah-longs (loansharks)
Anyone can now borrow money from ah-longs by providing the fake NRIC. I doubt ah-longs would know the difference between the fake NRIC and the real one after all the details are all correct except the photo.
#15 Surrender insurance policies
It may be possible to surrender policies and get the cheque on the same day. If the cheque is deposited to a bank account that has already being taken over by the criminal, that means the proceeds of the insurance policies will be stolen.
What can you do about it
Since your data has already been stolen, it cannot be undone. But here are some precautions you can do:
- Get yourself out of the situation of being blackmail. For example, by finding a job that will accept your medical conditions. Of course, this is easier said than done.
- Report the lost of NRIC to the National Library. They will disable borrowing books using NRIC number and issue you with a card with a unique library number for future borrowings.
- Use some difficult-to-guess long passwords such as hmwAjyf3D$6sQY6ug?4_sQ#.
- Regularly read your physical mails to check whether your address or mobile number was changed.
- Regularly check your banking statements for any fraudulent transactions.
- Do not believe in every email or physical mails you receive. Assume it is fake until proven otherwise. This is the hardest to do.
- Do not let anyone into the house unless you have a bodyguard – even if it is the AVA inspecting for mosquitoes breeding because the letter you receive from AVA for the inspection could be fake (i.e. plishing). Even the AVA inspectors’ identification cards could be fake.
- Move house to avoid the situation of loansharks burning your door.
- Call the insurance companies everyday until the policies' maturities to check whether your policies have been terminated.
In 1995, I watched a movie called “The Net” whose lead actress was Sandra Bullock. She worked from home and accessed her company’s office information using the Internet. But she seldom interacts with others in real life. None of her colleagues ever met her. She ordered her meals through delivery and her neighbours seldom see her. One day, she found that she could not login to everything due to cyberhacking and her house was even sold. An impostor took over her life by impersonating her. She could not proof her identity because hardly anyone knows her in person.
When I watched that movie that many years ago, it sounded quite futuristic but ridiculous. In 1995, the usage of Internet was uncommon and limited to universities. The thought of any individual able to work from home by using the Internet was far fetch. Moreover, cyber hacking was totally unheard of. These days, working from home, ordering meals online and threat of cyber hacking activities have become part and parcel of our lives.
Conclusions
Will 26% of Singapore’s population personal particulars be found on the Internet? Perhaps there is no longer need to do KYC because everybody’s information will become available on the Internet anyway.
I wrote this article to demonstrate how serious this data breach. I am also dismal by the fact that the government has $0 liability for the breach since they are not govern by the Personal Data Protection Act. So they cannot be sued under the PDPA. What happens if an individual bank account is emptied out? It will not be fair for the bank to assume liability. It has to be the government who will have to compensate for the lost. What happens if a loanshark burns down the door resulting in death? Can someone in the government body support his dependents? The worst part of it is that this episode of data leak will be long forgotten after many years and this generation of government could have changed but the threat of identity theft remains with all of us for the rest of our lives.
Like this article? Subscribe to my newsletter below for more.
ambidextrous says
I am foreseeing second tier of scammers impersonating public agencies’ personnel arriving at victims’ residences with authentic personnel information with charge sheets and demand notices etc and offer quick resolutions with a trip to the atms.
this ruse will aim at the elderly especially since the dates of birth are stolen
synonymous with pdpa says
SingHealth is subjected to PDPA as it is not classified as public agency.
Wilfred Ling says
Confirm? Link?
xyz says
Hahaha the people get what they voted for, can’t complain lah.
Singhealth is a pte ltd corporate body whose majority (only?) shareholder is MOH Holdings, which in turn is another pte ltd corporate body whose majority / only shareholder is MOH / Minister for Health.
Govt but yet not govt lorr.