Skip to main content

American blamed for Singapore data leak

January 30, 2019 | Expert Insights

Records of as many as 14,200 people with HIV and their 2,400 contacts have been “illegally disclosed online”, Singapore’s health ministry said in a statement, marking the second cyberattack the city-state has suffered in a year.


A cyberattack is any type of offensive manoeuvre that targets computer information systems, infrastructures, computer networks, or personal computer devices. Depending on context, cyberattacks can be part of cyberwarfare or cyberterrorism. A cyberattack can be employed by nation-states, individuals, groups, society or organizations. A cyberattack may originate from an anonymous source.

A cyberattack may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyberattacks can range from installing spyware on a personal computer to attempting to destroy the infrastructure of entire nations. Legal experts are seeking to limit the use of the term to incidents causing physical damage, distinguishing it from the more routine data breaches and broader hacking activities. Cyberattacks have become increasingly sophisticated and dangerous.

Professional hackers, either working on their own or employed by the government or military service, can find computer systems with vulnerabilities lacking the appropriate security software. Once found, they can infect systems with malicious code and then remotely control the system or computer by sending commands to view content or to disrupt other computers. There needs to be a pre-existing system flaw within the computer such as no antivirus protection or faulty system configuration for the viral code to work.


The HIV-registry data of Singapore was leaked by a U.S. citizen, Mikhy K. Farrera Brochez, who was deported from Singapore after serving jail time for fraud and drug-related offences, the ministry said. The leaked information included names, test results and contact details of 5,400 Singaporean citizens and 8,800 foreigners.

The latest data spill comes less than a year after a cyberattack on SingHealth that had exposed the medical data of about 1.5 million people, including outpatient details of the Singapore Prime Minister Lee Hsien Loong. This breach is especially problematic since it compromises the identity of those living with HIV in a region which there’s still a lot of social stigma around the condition.

“While access to the confidential information has been disabled, it is still in the possession of the unauthorized person, and could still be publicly disclosed in the future,” the ministry said in a statement. The ministry is scanning the Internet for signs of further disclosure of the breached information.

Singapore’s laws prohibit the disclosure of a patient’s HIV status and related data, without the person’s consent except under certain circumstances. The attacks underscore the difficulties companies and governments face in protecting private details of consumers against malicious hacks. In 2017, the global WannaCry ransomware attack crippled parts of the U.K.’s National Health Service for days. In a 2015 hack, U.S. health insurance giant Anthem Inc. had about 79 million customers’ personal information exposed.

The alleged culprit, Farrera-Brochez, was the boyfriend of a doctor heading Singapore’s National Public Health unit who was also convicted in 2018 of abetting Brochez’s actions and providing false information to government agencies, according to the ministry statement.

Singapore had nearly 8,000 Singapore residents living with HIV in 2017, according to figures released last year. Singapore posts about 450 new HIV cases annually, a number that has been consistent since 2008. Most of the new cases involved men, according to the report.


Our assessment is that even Singapore’s protected networks are being targeted, despite their investments in setting up strong cyber defences and firewalls. We believe that the leakage of sensitive information shows that it’s important to ring-fence the human element for active cybersecurity.