Unprotected database exposes private data of over 800,000 Singaporean blood donors

• HSA revealed that SSG has stored the information in an internet facing server on January 4, 2019, and failed to secure it with appropriate authentication.
• The exposed information includes blood donors’ names, genders, blood groups, heights, weights, NRIC numbers, number of blood donations, and the dates of the last three blood donations.

What is the issue - An unprotected database that contained private data of 808,201 Singaporean blood donors who registered to donate blood since 1986 was found publicly accessible over the internet.

What was exposed - The exposed information includes blood donors’ names, genders, blood groups, heights, weights, NRIC numbers, number of blood donations, and the dates of the last three blood donations. However, the leaky database did not contain any sensitive information such as medical information or contact details.

The big picture

Singapore Health Sciences Authority (HSA) learned about the leaky database on March 13, 2019, from a security expert. The database is managed by a vendor named Secur Solutions Group Pte Ltd (SSG) that provides services to HSA and handles the registration-related information of 808,201 blood donors.

• Upon learning the incident, HSA worked with SSG to secure the database and disable public access to the database.
• HSA has notified the Police department and is working with the security expert to delete the information.
• HSA has also hired external cybersecurity professionals to review their IT systems.

Worth noting - HSA revealed that SSG has stored the information in an internet facing server on January 4, 2019, and failed to secure it with appropriate authentication. HSA noted that this was done without HSA’s approval.

“SSG had placed the information we provided them on an unsecured database in an internet-facing server on 4 Jan 2019 and failed to put in place adequate safeguards to prevent unauthorized access. This was done without HSA’s knowledge and approval, and was contrary to its contractual obligations with HSA,” HSA said in a statement.

“We sincerely apologize to our blood donors for this lapse by our vendor. HSA treats donor data confidentiality very seriously. We would like to assure donors that HSA's centralized blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” HSA concluded.