Greetings from Singapore!
Before we reflect on news from around the privacy world this week, I would like to briefly highlight that the IAPP is currently on the lookout for new KnowledgeNet Chapter chairs. Being the chair of a KnowledgeNet Chapter is a meaningful way for you to contribute your expertise toward the development of local privacy professionals and the creation of valuable networks within the community. New KnowledgeNet Chapter chairs will serve a two-year term starting January 2019. Deadline for submissions closes Oct. 12.
And now, on to other news…
In Singapore, public hearings conducted by a Committee of Inquiry constituted to investigate the massive SingHealth breach reported at the beginning of August have revealed a number of failings in terms of IT lapses, gaps in organizational processes and staff judgment.
Evidence suggests the SingHealth’s systems had been infiltrated as early as August 2017 through advanced persistent threat attacks by a sophisticated (likely state-sponsored) actor using advanced tools, including customized malware. Not surprisingly, the attacker was able to establish a presence and move laterally within the network and exfiltrate data due to a number of lapses in security, including unpatched versions of Microsoft Outlook, coding vulnerabilities, and a Critix administrator account with “P@ssword” as the password (seriously?).
However, the hearings also revealed a number of process issues, including the lack of a proper framework for timely escalation of cybersecurity risks, uncertainty in terms of roles and responsibilities, and lack of proper coverage during staff absence. A number of staff members also appear to have contributed to the time it took to discover and react to the breach because they wrongly assumed that others will investigate, exercised questionable judgment, or provided the wrong information related to the severity of the incident.
All these should provide valuable learnings to any organization that holds a significant amount of personal data, which probably means everyone reading this should be spending quite a bit of time going through the findings of the COI in detail.
And if that does not take up all your spare time, there is always the hot-off-the-press 1,448-page verdict of the Indian Supreme Court upholding the constitutional validity of the Aadhaar system, which interestingly starts off with the following quote:
“It is better to be unique than the best. Because, being the best makes you the number one, but being unique makes you the only one.”
There is no doubt that Aadhaar gives dignity to the marginalized, which is a noble and laudable objective, but, in my view, it does not necessarily follow that dignity to the marginalized outweighs potential privacy concerns. This position seems to be premised on a false tension in the sense that you can have one but not the other.
Perhaps the better way to read this is to recognize that a unique identifier tied to a large amount of sensitive personal information and biometric data does not have to be the best system available, but it should definitely have the best possible security around it.
I am sure that IAPP India Country Leader Rahul Sharma will be covering this in greater detail in subsequent weeks, and I look forward to further discussions around the topic. Until then, happy reading!
If you want to comment on this post, you need to login.