Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 88 of 425 the email to Epic. Having ascertained that he was the sender, Dr Chong immediately terminated Zhao’s employment by pm on 18 September 2014. 260. There is some inconsistency in the evidence on whether Zhao communicated additional details about his findings to Lai Choo and Clarence, when they met him to ascertain if he sent the email. But what is undisputed is that no action was taken by IHiS to formally investigate, assessor rectify the alleged vulnerability. 261. Dr Chong’s evidence is that she “considered this matter concerning Zhao] to be primarily a disciplinary issue, and not an IT security issue”. On the alleged vulnerability, Dr Chong’s evidence is that she, Clarence, and Lai Choo thought that the alleged vulnerability would be “irrelevant” following recent upgrades to the SCM system architecture, or that the alleged vulnerability was in fact a “well- documented” problem with Microsoft’s SQL server and not the SCM itself, and which “could be addressed by additional layers of security”. Since no steps were taken to investigate further, these views were unverified assumptions. 262. Later in the evening on 18 September 2014, Dr Chong wrote back to David Chambers, informing him that Zhao had been dismissed. Dr Chong also stated that “My technical people have investigated the subject mentioned and concluded that the exposure is a normal programming of codes to extract data from the database, which is done as a normal course of work.” Dr Chong has explained that the technical people she referred to were in fact Lai Choo, Clarence and their staff. Dr Chong has also confirmed that the explanation given in her email was an expression of opinion, and there was in fact no formal inquiry conducted. No further steps were taken by IHiS in relation to this incident after this email was sent. 263. While the SCM vulnerability was not the sole contributing factor in the Cyber Attack, it likely played a pivotal role in allowing the attacker to obtain the SCM database credentials and cross the last mile to gain access into the SCM database. IHiS has accepted that if further queries and investigations had in fact been carried out, the coding vulnerability could have been discovered. In this
