Many organizations took action to gather data during the epidemic in an effort to stop the spread of COVID. Visitors to Thomson Medical could use a portal, but the information wasn't just kept in a secure database; it was also held in a database that the general public could access.
Thomson Medical has been given instructions to conduct a web search to ensure that no personally identifiable information has been published online.
The compromised information includes the personal data of 44,679 of the Organisation’s visitors, including the date and time of visit, temperature, type of visitor (purpose of stay), name of the visitor, name of newborn, contact number, NRIC/FIN/passport number, doctor/clinic name or room visiting, and answers to a health declaration questionnaire (which included a declaration by the visitor.
It has also been instructed to review the process it uses to deploy applications and to include measures like data retention policies and security testing procedures.
This is in response to a data breach incident from a Health Declaration Portal that was not secured, allowing visitors' private information to be accessed by anyone.
Source: https://www.databreaches.net/recent-decision-by-the-pdpc/
TPRM report: https://scoringcyber.rankiteo.com/company/thomson-medical
"id": "tho653231222",
"linkid": "thomson-medical",
"type": "Breach",
"date": "12/2022",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 44679,
'industry': 'Healthcare',
'name': 'Thomson Medical',
'type': 'Healthcare'}],
'attack_vector': 'Unsecured Database',
'data_breach': {'number_of_records_exposed': 44679,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Date and time of visit',
'Temperature',
'Type of visitor (purpose of '
'stay)',
'Name of the visitor',
'Name of newborn',
'Contact number',
'NRIC/FIN/passport number',
'Doctor/clinic name or room '
'visiting',
'Answers to a health declaration '
'questionnaire']},
'description': 'Many organizations took action to gather data during the '
'COVID-19 epidemic to stop the spread. Visitors to Thomson '
"Medical could use a portal, but the information wasn't just "
'kept in a secure database; it was also held in a database '
'that the general public could access. Thomson Medical has '
'been given instructions to conduct a web search to ensure '
'that no personally identifiable information has been '
'published online. The compromised information includes the '
'personal data of 44,679 of the Organisation’s visitors, '
'including the date and time of visit, temperature, type of '
'visitor (purpose of stay), name of the visitor, name of '
'newborn, contact number, NRIC/FIN/passport number, '
'doctor/clinic name or room visiting, and answers to a health '
'declaration questionnaire (which included a declaration by '
'the visitor.',
'impact': {'data_compromised': 'Personal data of 44,679 visitors',
'systems_affected': 'Health Declaration Portal'},
'response': {'remediation_measures': 'Review application deployment process, '
'include data retention policies and '
'security testing procedures'},
'title': 'Thomson Medical Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Unsecured Health Declaration Portal'}