11 Facts About the Blood Donors ‘Online Leak’ That S’poreans Should Know About


In this headline-reading era when readers tend to read the headlines and make conclusion immediately, it’s understandable that yesterday’s news pertaining to the exposure of over 800k blood donors’ personal information online has somehow suggested that Singapore’s route to be a smart nation has once again been derailed.

However, if you’ve read everything, you’d have noticed that this “leak” is fairly different, and while it’s still unforgivable, it might not be as severe as previous leaks or errors.

Here’s what you need to know (and I applaud you for reading the article instead of just skimming through the headline).

What is Blood Donation?

Lest you’re so new to this, here’s a concise guide to blood donation: you’ll firstly fill up a physical form to determine if you’re eligible for donation. If you are, you’ll register at the counter, whereby the receptionist would be able to determine when is your last donation (or if you’re a first-time donor). Usually, the interval for blood donations is three months.

Thereafter, you’ll be interviewed by a doctor, have your blood pressure, height and weight taken, and then a check on whether you’ve enough iron in your blood for donation. When these are all cleared, you’ll proceed for the blood donation, which for your info is seriously not painful.

You can see that despite the use of a physical form, there’s a process in which a system would be able to determine when your last donation was. That is done via a database, and this database is the core of this incident.

What Happened?

The database is stored somewhere, and apparently, earlier, the self-help kiosks did not reflect the personal information of some donors. Health Science Authority (HSA) then had given its IT vendor, Secur Solutions Group, a new database to update the records.

However, between 4 January 2019 to 13 March 2019, this database, which is unsecured, is placed on an Internet-facing platform.

By 10:00 a.m. on 13 March 2019, the database was removed and the system is fully secured.

In other words, the unsecured database was “online” for nine weeks.

Now, take note that I put quotations for online, because it’s not as simple as just going to a website to view the record.


What is “Internet facing”?

This is rather confusing and ambiguous, and it’s unknown how the database was exposed online, but here’s a concise lesson on what “internet facing” is lest some of you think it’s merely a website.

You see, everything on the Internet is actually being saved in a server—you’re reading this because we upload this article into our server. This server is an actual physical server: in other words, a “computer without monitor” is loading the data to your phone / desktop as you read this.

This article is therefore accessible if you click on the URL (or for our app, when you go into our app), and it’ll load the data on your browser / app.

That is why Internet is called “Interconnected Network”: you’re essentially using your browser / app to interact and connect to another physical server. That is considered “Internet facing”.

However, some databases (or any other files) are used just internally: for that, they are still saved in a server, but people cannot anyhowly just access the database: the server might just allow access to several other machines or machines with a certain software.

If you’ve been in the NS in the past (I think they’re still using that), you’d know something known as “Intranet”: it’s a private network between authorised machines.

Even if you’ve an Internet connection and tried to connect to an Intranet, you can’t because it’s not open to the public.

Therefore, for a database to be “internet facing”, anyone with an internet connection can go in—though for this case, it’s still not as easy as loading a website.

Why is it not a website?

Because not everything on the Internet is about websites.

The database is online but it’s not “readable” by your typical browser. Just think of it s an Excel spreadsheet (it’s not lah, but something close): you cannot open a spreadsheet on your browser, right?


Same thing: for the database to be loaded, it needs a database software, and for web access to this database, it needs authorisation.

So unless you’re an IT or SQL (usually used for database reading) expert, chances are you won’t even know what that is.

How was it discovered?

You might think of a hacker as a guy with black hood typing green codes on a black background, asking for Bitcoins and whatnot, but fact of the matter is, there is another group of hackers called the white-hat hackers.

White-hat hackers are ethical (i.e. good) hackers who look for vulnerabilities like these and patch them up. They’re the real cyber-security experts, and are usually so talented, organizations engaged them with a high salary the moment they spot a hard-to-find vulnerability.

In this case, an overseas cyber-security expert, who is described as a white-hat cyber-security professional “of certain standing”, found the database online. As an ethical hacker, he immediately alerted the Personal Data Protection Commission, which then led to HSA contacting its vendor immediately.

The expert has also confirmed that he’s not releasing the records online (cuz he’s ethical!) and is deleting the records.


Why was it even online?

Good question.

The IT vendor has not disclosed whether it’s an error or they simply put it online for easy access by their team members: however, HSA did not approve nor was notified about the database being put online.

According to HSA, that was against its contractual obligations.

What is the damage?

Luckily, preliminary findings based on the database logs show that only the cyber-security expert has accessed the information.

Logs are usually “hidden” codes by software that show almost every single action done by the software. For example, when you’re using your phone, your device OS is most probably logging each scroll or tap, so that should your device suddenly crash, you can check the logs to see what caused the crash.


Of course, usually only developers would look at logs and not laymen like us.

In other words, the database hasn’t been seen by any other third party.

What information is in the database?

It is a database that contains registration-related information of 808,201 blood donors: Name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight. The database contained no other sensitive, medical or contact information.

What next?

Investigations are ongoing, and the Chief Executive Officer of HSA has apologised to the public, saying this: “We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA’s centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.”

They have also issued an online letter to apologise, but the details are mainly what you’ve read here.

According to Channel NewsAsia, HSA is considering its legal options, and that includes terminating the vendor’s services.

The vendor has since spoken, saying that they are conducting a thorough review of its IT systems. They added, “The affected server was immediately secured upon notification of the unauthorised access…We have engaged external cybersecurity professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations.”

A police report has been made and investigations are ongoing.


Which leads to the next question…

What is Secur Solutions Group?

In the previous IT slip-up, the vendor was NCS, and everyone knows them: they’re one of the largest IT firms in Singapore and has Singtel as its parent company. In fact, I knew about NCS even when I was in secondary school.

And in this latest incident? Secur…what?

I’ve not heard of Secur Solutions Group before, and of course the first person I ask is Google. I mean, as an IT company, you’ll expect their website to be hard-coded manually without a use of a Content Management System, and they would be using the chimmest codes with httpssssssssssss, which is secured and powderful.

So, I Googled and…

Wait, what? Wix? That’s like a platform used by students to start their website for a school project, since it’s drag-and-drop.

After more digging, here’s the only information I could find and it’s from Jobstreet:

Secur Solutions Group (SSG) is an industry pioneer and leader in the distribution of plastic card personalisation equipment and customized software systems.

SSG products and services portfolio includes customized software for card issuance and productivity solutions, mobile payment, core banking integration, branch automation, signage and queue management for digital customer engagement.

We are rapidly growing our team to better serve our customer base.

Or maybe they don’t have an online presence, and this “Secur Solutions Group” I found is another company.

What should blood donors do next?

Nothing. If you’ve read everything, you’ll realise that while it’s a slip-up, no damage was done.

In fact, you should continue to donate blood, and judging from a TODAYonline article, it seems like the 1.84% of the Singapore population who’s donating blood doesn’t seem to care, because saving lives is more important.

Like what a blood donor said, “In this case, it’s not a matter of life and death. But in the case of donating blood, it might be.”

So continue to donate blood, and hopefully, this incident would bring more awareness about blood donation instead, because every cloud has a silver lining, eh?