Singapore: The Improbable Nation
Home/Archive/Chronological Events/SG-C-27: The 2018 SingHealth Cyber Attack — Singapore's Largest Data Breach and the Digital Defence Pivot (2018–2019)
C-27Chronological Events

SG-C-27: The 2018 SingHealth Cyber Attack — Singapore's Largest Data Breach and the Digital Defence Pivot (2018–2019)

Document Code: SG-C-27 Full Title: The 2018 SingHealth Cyber Attack — Singapore's Largest Data Breach and the Digital Defence Pivot Coverage Period: 2018–2019 Level Designation: Level 2 Status: [WIP — outline]

Primary Sources Consulted:

  1. Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited's Patient Database System, Public Report (10 January 2019), chaired by Richard Magnus (the "COI Report"); publicly released at the Singapore judiciary website and IHIS corporate website
  2. Ministry of Health / Cyber Security Agency of Singapore / Integrated Health Information Systems, joint press statement, 20 July 2018 — "Public Advisory on Cyber Attack on SingHealth's Patient Database"
  3. Personal Data Protection Commission, Re: Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd, Decision No. DP-1801-B3237 (15 January 2019)
  4. Cybersecurity Act 2018 (Act 9 of 2018), Singapore Statutes Online — passed 5 February 2018, commenced 31 August 2018
  5. Parliamentary Debates (Hansard), PM Lee Hsien Loong parliamentary statement on the SingHealth cyberattack, 6 August 2018
  6. Parliamentary Debates (Hansard), ministerial statement by Gan Kim Yong (Minister for Health) and S Iswaran (Minister for Communications and Information), 6 August 2018
  7. Public Sector Data Security Review Committee, Report (27 November 2019), chaired by DPM Teo Chee Hean
  8. Symantec Threat Intelligence, "Whitefly: Espionage Group has Singapore in Its Sights," Technical Intelligence Blog (6 March 2019) — threat actor attribution
  9. Cyber Security Agency of Singapore, Singapore Cyber Landscape 2018 (2019 annual report), containing post-SingHealth regulatory response analysis
  10. Ministry of Defence, Singapore, Total Defence: A Stronger Singapore (5th Pillar to 6th Pillar update, February 2019) — official documentation adding Digital Defence as the sixth Total Defence pillar on Total Defence Day 2019 (15 February 2019)
  11. S Iswaran, speech at the Committee of Inquiry press conference, 10 January 2019
  12. Lee Hsien Loong, National Day Rally 2018 (19 August 2018) — references to the SingHealth attack and national cybersecurity readiness
  13. Parliamentary Questions and ministerial statements on the SingHealth cyberattack and the PDPC penalties, August 2018 – February 2019
  14. IHIS (Integrated Health Information Systems), Annual Report 2018 and post-COI remediation disclosures
  15. Ministry of Health Singapore, "What You Need to Know about the Cyber Attack" FAQ, official publication, July 2018
  16. Benjamin Ang and Shashi Jayakumar, eds., Cybersecurity in ASEAN: An Urgent Call to Action (RSIS Monograph No. 36, 2018) — published in the same year as the attack
  17. [TBD-VERIFY: Full financial penalty breakdown — exact penalty quantum for SingHealth versus IHiS, if published COI report specifies distinct amounts from the PDPC decision dated 15 January 2019]
  18. [TBD-VERIFY: Specific names of the database administrator and IT staff identified by name in the COI report as having given evidence; the COI report uses anonymised references in the public version]
  19. [TBD-VERIFY: Specific APT group technical indicators (command-and-control infrastructure, malware families) from Symantec's "Whitefly" report that are publicly confirmed as applied to the SingHealth intrusion]
  20. Parliamentary Debates (Hansard), debate on the Public Sector (Governance) Act 2018, referencing data security obligations

Related Documents:

  • SG-D-32: Cybersecurity Governance — From CSA Founding to the AI Era
  • SG-D-31: The Personal Data Protection Act and Singapore's Privacy Governance Architecture
  • SG-O-07: Digital Governance
  • SG-D-17: Technology and Smart Nation
  • SG-I-15: The National Security Coordination Secretariat
  • SG-I-20: The Singapore Armed Forces and Total Defence Doctrine
  • SG-C-09: The Lee Hsien Loong Era Part I (2004–2011)
  • SG-C-10: The Lee Hsien Loong Era Part II (2012–2024)
  • SG-M-03: The Vulnerability Philosophy
  • SG-F-22: Cyber Security (Foreign Policy Dimension)
  • SG-D-27: POFMA — Protection from Online Falsehoods and Manipulation Act
  • SG-K-21: The SingHealth Data Breach 2018
  • SG-C-24: The Mas Selamat Kastari Escape — Whitley Detention Centre, ISD Failure, and the 2008 Crisis

Version Date: 2026-05-14

1. Key Takeaways

  • The SingHealth cyberattack of June–July 2018 was the largest data breach in Singapore's history, compromising the personal particulars of 1.5 million patients and the outpatient dispensed-medicines records of 160,000 individuals — including, most significantly, the personal data and medication information of Prime Minister Lee Hsien Loong, who was specifically and deliberately targeted by the attackers. The attack was not discovered through automated monitoring but by a database administrator at the Integrated Health Information Systems (IHiS) who noticed unusual activity on 4 July 2018 and raised the alarm. The attackers had been present inside SingHealth's network since at least August 2017 — nearly a year before detection. The public was not informed until 20 July 2018, after MOH and CSA had confirmed the breach's scope and begun remediation.

  • The Committee of Inquiry chaired by Richard Magnus, a former Chief District Judge and Senior Counsel, reported on 10 January 2019 and identified sixteen recommendations, led by seven priority measures. The COI found that the attack was the work of a sophisticated, persistent, state-linked actor who had conducted a deliberate and targeted campaign against the SingHealth database specifically because it held the Prime Minister's records. This framing — not opportunistic data theft but targeted intelligence collection against a head of government — elevated the SingHealth attack from a healthcare sector breach to a national security incident. The COI's public report is one of the most detailed post-breach accountability documents published by any Asian government and remains a reference text in regional cybersecurity governance.

  • The COI identified five systemic failure categories within IHiS and SingHealth that had collectively enabled the breach: inadequate staff training and security culture; absence of timely and effective intrusion detection; failure to patch known vulnerabilities; weak privileged-access controls; and an incident reporting process that introduced critical delays between initial detection and escalation. The attack exploited a compromised workstation at Singapore General Hospital, from which the attacker conducted lateral movement, privilege escalation, and reconnaissance over many months before reaching the SCM (Sunrise Clinical Manager) database that held patient records. The time between the first known indicator of compromise (August 2017) and the database administrator's anomaly detection (4 July 2018) was approximately ten months — a dwell time that the COI described as unacceptable.

  • The Personal Data Protection Commission issued combined penalties of S$1 million on 15 January 2019 — the largest data-protection financial penalty in Singapore's regulatory history at that point — against SingHealth (S$250,000) and IHiS (S$750,000), five days after the COI report. The PDPC's concurrent jurisdiction with the COI's findings illustrated the layered accountability architecture that Singapore applies to major incidents: a public-interest Committee of Inquiry for institutional accountability, a regulatory enforcement action for the data protection dimension, and parliamentary scrutiny for the political dimension. The penalties were later increased structurally: the PDPA Amendment Act 2020 raised maximum penalties to 10% of annual Singapore turnover or S$1 million, whichever is higher, directly in response to the SingHealth incident demonstrating the inadequacy of the pre-2020 ceiling.

  • The most consequential governance response to the SingHealth attack was the designation of Digital Defence as the sixth pillar of Total Defence, announced on 15 February 2019 — Total Defence Day. Singapore's Total Defence framework, established in 1984, had comprised five pillars: Military, Civil, Economic, Social, and Psychological Defence. The addition of Digital Defence formally elevated cybersecurity from a technical-operational concern to a whole-of-society, whole-of-nation obligation requiring every citizen, organisation, and government agency to participate in Singapore's collective digital resilience. The announcement, made by MINDEF, signalled that the SingHealth attack had been interpreted at the highest levels of government not merely as an IT failure but as a challenge to Singapore's strategic sovereignty.

  • The SingHealth attack catalysed a series of downstream governance reforms that outlasted the immediate remediation period: the Public Sector Data Security Review Committee report of November 2019, new criminal penalties for public officers who mishandle data under the Public Sector (Governance) Act 2018, substantial government cybersecurity budget increases, and the Internet Separation Policy for public healthcare computers adopted immediately after the breach. The Internet Separation Policy — requiring that computers in healthcare settings holding patient records be isolated from the public internet — was operationally disruptive but was accepted as a proportionate response to the demonstrated threat vector. It is one of the few instances in Singapore's governance history where a cyber incident directly caused a nationwide operational change affecting hundreds of thousands of healthcare workers.

  • The Symantec attribution of the attack to the "Whitefly" advanced persistent threat actor, published on 6 March 2019, implied state sponsorship without naming the sponsoring state, and the Singapore government declined to make a public attribution by country. This non-attribution posture, consistent with Singapore's foreign policy practice of strategic ambiguity, contrasted with the approach taken by the United States and United Kingdom, which have both named state actors in comparable cyber incidents. The COI report described the attacker as "an advanced persistent threat actor" and noted that the attack was "the work of a skilled and sophisticated attacker", but its public report did not identify the actor's national origin. The Singapore government's reluctance to attribute publicly reflects the small-state doctrine: naming a major power as the attacker would impose costs in bilateral relations that Singapore's strategic position makes it unwilling to bear.

2. The Record in Brief

The SingHealth cyberattack of 2018 was the incident that transformed cybersecurity in Singapore from a policy domain into a national security priority embedded in the country's deepest civic frameworks. It also represented the most direct known intrusion against Singapore's head of government in the nation's modern history, and it exposed a gap between Singapore's reputation for institutional competence and the operational reality of its largest healthcare IT system.

SingHealth Pte Ltd is one of Singapore's two major public healthcare clusters, responsible for Singapore General Hospital — the republic's largest acute hospital — as well as National Cancer Centre Singapore, National Heart Centre Singapore, National Dental Centre Singapore, KK Women's and Children's Hospital, and a network of polyclinics. Its IT infrastructure was managed entirely by the Integrated Health Information Systems Pte Ltd (IHiS), a wholly owned subsidiary of MOH Holdings (MOHH), which serves as the centralised technology arm for all public healthcare clusters in Singapore. This organisational architecture — one healthcare cluster as data controller, a separate IT entity as the data intermediary operating and maintaining the system — would become central to the PDPC's analysis of accountability.

At the time of the attack, SingHealth's clinical records were stored in a Sunrise Clinical Manager (SCM) database — a commercially available electronic health record system. The SCM database held outpatient and inpatient records for patients who had attended SingHealth facilities, including name, NRIC number, address, date of birth, sex, race, and records of outpatient dispensed medicines. The personal records of approximately 1.5 million patients were stored in this database, representing roughly a quarter of Singapore's resident population.

The attackers' first known point of compromise was a workstation at Singapore General Hospital that was infected with malware by August 2017. Over the following months, using a combination of credential harvesting, lateral movement through the IHiS network, and privilege escalation to administrative accounts, the attackers progressively extended their access until they could connect directly to the SCM database server. The Committee of Inquiry found that multiple indicators of compromise were present and detectable during this dwell period but were not recognised or acted upon in a timely manner.

The attacker accessed the SCM database directly and conducted a series of queries between 27 June and 4 July 2018, exfiltrating approximately 1.5 million patient records over this eight-day window. The queries were not random: they were targeted specifically at patients who had visited SingHealth facilities and, most deliberately, at the outpatient dispensed medicines records of Prime Minister Lee Hsien Loong. A database administrator at IHiS detected anomalous activity in the SCM database on 4 July 2018 and escalated internally. IHiS management blocked the attacker's access to the database the same day and reported the incident through its internal channels to MOH Holdings.

The delay between IHiS's internal escalation on 4 July 2018 and formal notification to the Cyber Security Agency on 10 July 2018 — a gap of six days — became one of the most criticised aspects of the incident response. CSA and MOH were formally notified on 10 July. The Singapore Police Force's Cybercrime Command was notified on the same day. The government spent the subsequent ten days investigating the breach's scope, confirming patient numbers, and determining what information had been exfiltrated, before issuing a public advisory on 20 July 2018. The Prime Minister was informed by the Ministry of Health that his records had been specifically targeted.

The public disclosure on 20 July 2018 — a joint statement from the Ministry of Health, the Cyber Security Agency, and IHiS — was unprecedented in Singapore's governance history. It was the first time a Singapore government agency had publicly disclosed a cyberattack on critical national infrastructure in real time, the first time the personal data of a sitting Prime Minister had been confirmed as a target, and the first major test of the Cybersecurity Act 2018, which had commenced only weeks earlier on 31 August 2018 .

3. Timeline: June 2018 – January 2019

August 2017: First known compromise of an IHiS workstation at Singapore General Hospital. Malware installed; attackers begin reconnaissance of the IHiS network.

August 2017 – June 2018: Dwell period. Attackers conduct progressive lateral movement through the IHiS network. Multiple indicators of compromise are present — unusual login activity, anomalous queries to network resources — but are not recognised as part of a coordinated intrusion. The COI found that some staff who noticed anomalous activity did not escalate it through the correct incident reporting channels.

27 June 2018: Attackers begin direct queries against the Sunrise Clinical Manager (SCM) database. The data exfiltration window opens.

4 July 2018: A database administrator at IHiS detects anomalous queries against the SCM database and escalates the concern internally. IHiS management blocks the attacker's database access. The exfiltration window closes. IHiS begins internal investigation.

10 July 2018: IHiS formally notifies the Cyber Security Agency and the Ministry of Health. The Singapore Police Force Cybercrime Command is simultaneously notified. Forensic investigation begins to determine the full scope of exfiltrated data.

12–19 July 2018: CSA, MOH, IHiS, and SPF conduct joint investigation. Scope of breach confirmed: 1.5 million patients' personal particulars; 160,000 patients' outpatient dispensed-medicines records; Prime Minister Lee Hsien Loong's records specifically targeted. Government prepares public communication strategy.

20 July 2018: Joint public advisory issued by MOH, CSA, and IHiS. PM Lee Hsien Loong issues a personal statement confirming his records were targeted and calling the attack "a deliberate, targeted, and well-planned cyber-attack." Internet Separation Policy for healthcare computers begins implementation — computers used to access patient records in public healthcare settings are disconnected from the public internet.

6 August 2018: Parliament convenes for an emergency ministerial statement. PM Lee Hsien Loong, Minister for Health Gan Kim Yong, and Minister for Communications and Information S Iswaran make statements on the attack. PM Lee states he does not know why his records were specifically targeted but notes that while "no prescription information, no diagnosis, no test results, no doctors' notes or any other records" were taken, the attackers had "made multiple attempts to obtain" this information specifically from his records.

19 August 2018: National Day Rally 2018. PM Lee Hsien Loong references the SingHealth attack, frames it in the context of Singapore's vulnerability in cyberspace, and calls on Singaporeans to treat cybersecurity as a personal and national responsibility.

October 2018: Committee of Inquiry formally constituted under the Inquiries Act, chaired by Richard Magnus, former Chief District Judge and Senior Counsel. Other members include Tan Kiat How (former Chief Executive of IDA) and Cham Hui Fong.

October–December 2018: COI hearings conducted. Witnesses include senior IHiS management, SingHealth clinical and administrative staff, CSA officials, and cybersecurity experts.

10 January 2019: COI Public Report released. Richard Magnus chairs press conference. Report runs to several hundred pages with sixteen recommendations, seven classified as priority. S Iswaran addresses the media on the government's acceptance of the recommendations.

15 January 2019: Personal Data Protection Commission issues enforcement decisions against SingHealth (S$250,000) and IHiS (S$750,000). Combined total S$1 million — the largest data-protection penalty in Singapore's regulatory history at the time.

15 February 2019: Total Defence Day. Ministry of Defence announces that Digital Defence is added as the sixth pillar of Total Defence, citing the SingHealth attack and the growing importance of cybersecurity to Singapore's existential resilience.

4. The Attack Methodology — Advanced Persistent Threat and State-Sponsored Attribution

The SingHealth attack belongs to a category of intrusions that the cybersecurity industry designates "Advanced Persistent Threat" (APT) operations: targeted, well-resourced, patient campaigns conducted by actors with specific intelligence objectives rather than financial motivation. The COI report and subsequent industry analysis by Symantec identified the characteristics that placed this attack firmly in the APT category.

Targeting specificity: The attackers were not conducting broad opportunistic scanning of Singaporean networks. The SCM database at SingHealth was a specific target, and within that database the Prime Minister's records were a specific sub-target. This level of targeting requires pre-operational intelligence — knowledge of what the database contains, where it is located in the network topology, and which records it holds for specific individuals. The COI report noted that the attacker "aimed to steal specific data relating to the Prime Minister" and found no evidence that financial data or records unrelated to the specific targets were sought.

Patience and dwell time: The approximately ten-month gap between the initial compromise (August 2017) and the exfiltration window (June–July 2018) is characteristic of state-linked APT operations, which typically conduct extended reconnaissance before executing their collection objectives. This patience contrasts sharply with financially-motivated cybercrime, in which attackers typically move quickly to monetise access before detection. The long dwell time also demonstrates the inadequacy of perimeter-based security models: once an attacker is inside the network, the detection window depends entirely on the quality of internal monitoring, behavioural analytics, and staff vigilance.

Custom tooling and living-off-the-land techniques:

Lateral movement methodology: The attackers used compromised credentials — obtained through the initial workstation infection — to move progressively through the IHiS network. The COI found that the network's internal segmentation was insufficient to prevent an attacker who had breached a workstation from eventually reaching the database tier. Privileged account credentials with administrative access to the SCM database were accessible in ways that should not have been possible under the principle of least privilege.

The Whitefly Attribution: In March 2019, Symantec's threat intelligence team published an analysis designating the actor responsible for the SingHealth attack and other Singapore-targeting campaigns as "Whitefly." Symantec described Whitefly as a group that had been targeting Singapore since at least 2017, focusing on critical sectors including healthcare, media, telecommunications, and engineering. The report identified Whitefly's use of custom malware — including a tool that Symantec called "Vcrodat" — alongside legitimate security tools repurposed for offensive use. Symantec did not formally attribute Whitefly to a specific nation-state in the March 2019 report, but industry analysis and prior research on similar campaigns led most researchers to associate the actor with Chinese state-linked intelligence operations.

The Singapore government's response to the Whitefly attribution was notably restrained. The Cyber Security Agency acknowledged the Symantec report's publication but neither confirmed nor denied Symantec's technical findings in the context of the SingHealth investigation, citing the ongoing criminal investigation. No government spokesperson named a country. This posture is consistent with the small-state doctrine that has governed Singapore's foreign policy responses to perceived aggression by major powers: the calculation that publicly naming a state actor — particularly a large economy with which Singapore has extensive trade and investment relationships — would impose diplomatic and economic costs disproportionate to any remedial benefit from the attribution itself.

This posture contrasts sharply with the practice of the Five Eyes partners. The United States attributed the 2015 OPM data breach (involving 21.5 million federal employees' records) to China in 2015; the United Kingdom has attributed a series of GRU and FSB operations by name. Singapore's strategic independence — its refusal to join Western-led attribution coalitions — is presented publicly as a matter of maintaining credibility as a neutral party, but also reflects the asymmetric dependency inherent in a small city-state's relationship with major powers.

5. The 1.5 Million Patients Compromised — PM Lee Hsien Loong's Records Targeted

The scale of the SingHealth breach — 1.5 million patients — was quantitatively significant but the qualitative significance lay in the deliberate targeting of the Prime Minister's records. Understanding both dimensions requires attention to what data was taken, from whom, and what the attackers appeared to be seeking.

The scope of compromised patient data: The 1.5 million patient records that were exfiltrated comprised basic personal particulars: name, NRIC number, date of birth, sex, race, and address. Critically, this did not include clinical records — diagnoses, test results, medical histories, prescriptions, or doctors' notes — beyond the outpatient dispensed-medicines records of the 160,000-patient subset. The MOH's initial public advisory on 20 July 2018 was careful to specify that "no medical records such as clinical notes, laboratory test results and radiology reports" were accessed. This distinction was significant both for the welfare of affected patients and for the government's communication strategy: the data taken, while sensitive and personal, did not include intimate medical details that might cause serious individual harm if publicly disclosed.

The 160,000 patients whose outpatient dispensed-medicines records were also taken formed a more sensitive cohort. Medication dispensing records can indicate diagnoses in many cases — certain drugs are uniquely associated with specific conditions. However, the government stated that it had no evidence the records were published or shared beyond the attacker's collection operation, and the affected patients were individually notified.

The Prime Minister's records as a specific target: Prime Minister Lee Hsien Loong's personal particulars and outpatient dispensed-medicines records were among the 160,000 sets of medicine dispensing records taken. More significantly, the COI report found that the attacker had made multiple repeated and deliberate attempts to obtain additional information specifically from Lee Hsien Loong's clinical records — attempts that were ultimately unsuccessful because the clinical notes portion of the SCM system required a different access pathway that the attacker had not been able to fully compromise.

PM Lee addressed the targeting directly in a Facebook post on 20 July 2018, stating: "I don't know what the attackers were hoping to find. Perhaps they were hunting for some scandalous information to embarrass me. Or perhaps they just wanted to cause a disturbance, and sow doubt about the Government's ability to protect citizens' personal data." This statement — combining genuine uncertainty about the attacker's motive with a frank acknowledgment of political sensitivity — was notable for its directness. In his parliamentary statement of 6 August 2018, PM Lee stated that he was "not particularly anxious about myself" but was deeply concerned about the records of 1.5 million ordinary Singaporeans being stolen.

The deliberate targeting of a head of government's medical records has precedent in state-sponsored intelligence operations globally. Medical intelligence — knowledge of a leader's health status, conditions, medications, or vulnerabilities — has operational value for foreign intelligence services in assessing a target government's stability, succession risk, and negotiating capacity. Whether this was the specific intent behind the SingHealth attack remains unconfirmed by any public governmental source, but the inference was widely drawn by analysts.

Notification of affected patients: All 1.5 million affected patients were notified by SMS through SingHealth's patient messaging system, directing them to check the SingHealth website. A dedicated phone helpline was activated. The COI report reviewed the notification process and found it to have been adequately executed given the scale and time constraints, though some patients reported confusion about whether their clinical records — as distinct from personal particulars — had been accessed.

The healthcare data sensitivity context: The attack occurred against a background of Singapore's increasing integration of digital health records. The National Electronic Health Record (NEHR) system, administered by IHiS, was designed to aggregate patient records across the healthcare ecosystem, enabling different providers to access a patient's history. The SingHealth breach raised immediate questions about the NEHR's security architecture and whether a successful attack on the NEHR's database would create an even larger single-point vulnerability. Post-breach, IHiS implemented additional access controls on the NEHR platform and the MOH commissioned an independent security review. The tension between health data integration — which requires broad accessibility for clinical utility — and security — which favours restricted access and segmentation — is a structural challenge that the SingHealth breach brought sharply into focus for Singapore's healthcare governance.

6. The 20 July 2018 Public Disclosure by MOH, CSA, and IHIS

The public disclosure of the SingHealth cyberattack on 20 July 2018 was a carefully managed exercise in crisis communication and institutional transparency that set precedents for how Singapore's government would handle major cyber incidents in the future. Analysed as a governance act, the disclosure reveals both the strengths and the characteristic constraints of Singapore's communication culture.

The disclosure decision: The government had known about the breach since 10 July 2018, when IHiS formally notified CSA and MOH. The decision to wait until 20 July before public disclosure — a ten-day interval — was not primarily driven by operational security, though the need to contain the forensic investigation before announcement was cited as one consideration. The more significant driver was the need to confirm the scope of the breach with certainty before informing the public. In its absence of a mandatory public breach notification timeline under the regulatory framework applicable in July 2018 (the Cybersecurity Act had not yet commenced; the PDPA did not apply to public healthcare), the government exercised its own judgment on the timing of public disclosure.

The structure of the 20 July announcement: The joint advisory was issued simultaneously by three agencies — MOH, CSA, and IHiS — each addressing a different dimension of the incident:

  • MOH's contribution addressed the scope of patient data affected, the clinical data not accessed, and the steps being taken to notify affected patients.
  • CSA's contribution addressed the technical nature of the attack, the actions taken to contain and remediate the intrusion, and the referral to SPF for criminal investigation.
  • IHiS's contribution addressed the operational response, the IT remediation steps already underway, and the engagement of external cybersecurity consultants.

This tripartite structure — combining healthcare, cybersecurity, and IT operations perspectives — reflected the interagency coordination that had been in progress since 10 July and was designed to provide a comprehensive picture in a single communication event rather than a series of incremental disclosures.

PM Lee's personal statement: Prime Minister Lee's Facebook post of 20 July 2018 was published simultaneously with the official advisory. The post was personal in tone — acknowledging directly that his own records had been targeted, speculating candidly about the attacker's possible motivations, and expressing concern for affected patients. The decision to include a personal prime ministerial statement alongside the institutional advisory was unusual in Singapore's governance communications practice and reflected the exceptional nature of an attack that had specifically targeted the head of government. The statement positioned Lee not as a passive victim but as a participant in Singapore's cyber defence — reinforcing the message that cyber resilience is a shared national responsibility.

Parliament's response: An emergency ministerial statement was made to Parliament on 6 August 2018 — the first parliamentary sitting after the disclosure. The statements by PM Lee, Minister Gan Kim Yong, and Minister S Iswaran together constituted the most detailed parliamentary accounting of a cybersecurity incident in Singapore's history up to that point. Opposition MPs asked questions about the adequacy of the government's cybersecurity posture, the delay in public notification, and the implications for other public health databases. The government's responses provided additional technical detail but maintained the position that while the failures were serious and had been addressed, they did not indicate a systemic collapse of Singapore's cybersecurity architecture.

The Internet Separation Policy as an immediate operational response: One of the most significant immediate consequences of the disclosure was the announcement that IHiS would implement an Internet Separation Policy for computers used to access patient records in public healthcare settings. Under this policy, computers with access to clinical systems would be physically or logically separated from internet-connected devices — healthcare workers requiring internet access would need to use a separate device. The policy was operationally disruptive: healthcare workers who had relied on internet access from workstations also used for clinical records — to look up medical literature, check drug databases, or access external communications — were required to change their workflows. The clinical workforce's adaptation to Internet Separation became a test case for how Singapore's healthcare system balanced digital convenience against security requirements, and its implementation was cited by the COI as an appropriate response to the identified attack vector.

7. The Committee of Inquiry — Richard Magnus Chair, January 2019 Report

The Committee of Inquiry into the Cyber Attack on SingHealth's Patient Database System was the most significant formal accountability mechanism triggered by the SingHealth attack. Its report of 10 January 2019 is a foundational document in Singapore's cybersecurity governance history — detailed, technically rigorous, and unusually candid by the standards of Singapore's official inquiry tradition.

Composition and mandate: The COI was constituted under the Inquiries Act (Cap 139A) and chaired by Richard Magnus, former Chief District Judge and Senior Counsel. Magnus had previously chaired or served on a number of high-profile government-appointed review bodies, bringing extensive experience in conducting formal fact-finding proceedings in Singapore's legal tradition. The committee also included Tan Kiat How, who had served as Chief Executive of the Infocomm Development Authority and brought technical credibility to the assessment of IHiS's operations.

The COI's terms of reference directed it to: establish the facts and circumstances of the attack and the data exfiltration; assess the adequacy and timeliness of the response; make recommendations to strengthen cybersecurity and incident management; and assess the remedial measures already implemented.

Process: The COI conducted hearings over approximately three months from late October to December 2018. Witnesses included senior officers from IHiS, SingHealth, the Cyber Security Agency, the Ministry of Health, and the Singapore Police Force's Cybercrime Command, as well as external cybersecurity consultants engaged in the forensic investigation. Some hearings were conducted in closed session given the sensitivity of technical details and ongoing criminal investigations. The COI received extensive written submissions, technical evidence on the attack methodology and the network architecture, and documentary evidence of the internal communications and escalation decisions during the July 2018 incident response period.

Structure of the report: The Public Report released on 10 January 2019 addressed the technical facts of the attack, the organisational and procedural context that enabled it, the incident response from detection to public disclosure, the remediation steps already taken, and the COI's sixteen recommendations. The recommendations were divided into seven "priority recommendations" and nine "additional recommendations." Priority recommendations addressed the most critical systemic failures; additional recommendations addressed process improvements and longer-term capability building.

Public accountability function: The COI report served a dual function. As a fact-finding instrument, it provided the most authoritative public account of how the attack occurred, what the attackers accessed, and what the consequences were. As an accountability instrument, it identified specific organisational units — IHiS above all — as having failed in their responsibilities, while also noting that SingHealth as the data controller bore independent obligations under the PDPA that it had not discharged adequately. The COI did not recommend criminal charges against named individuals in its public report but noted that the relevant authorities — SPF and the Attorney-General's Chambers — would consider whether any conduct warranted prosecution under existing laws including the Computer Misuse Act.

Government's response to the report: S Iswaran addressed the media at the COI's press conference on 10 January 2019, accepting all sixteen recommendations on behalf of the government and indicating that implementation was already underway for many of the priority measures. This acceptance — immediate, comprehensive, and unqualified — was consistent with the Singapore government's standard approach to Committee of Inquiry reports: treat the COI as a legitimate accountability mechanism and demonstrate institutional responsiveness by accepting recommendations publicly. The alternative — contesting COI findings — would have been politically damaging and inconsistent with the government's own framing of the incident as an unacceptable failure that required serious remediation.

8. The Findings — Five Key Failures and IHIS Specific Vulnerabilities

The COI report's diagnostic section is the most analytically important part of the document: it moves from the factual narrative of the attack to an assessment of why the attack succeeded. The COI identified failures across five systemic categories, each of which revealed something about the organisational culture and operational practices of IHiS.

Failure 1 — Inadequate Security Culture and Staff Training: The COI found that IHiS staff at multiple levels — from junior administrators to senior management — did not have adequate cybersecurity awareness to recognise and respond to the indicators of compromise that were present throughout the dwell period. Staff who noticed anomalous system behaviour did not escalate it through formal incident reporting channels, partly because they lacked confidence that what they were seeing was a security incident (as distinct from a routine technical glitch), and partly because the incident reporting process was not intuitive or well-practised. The COI noted that "staff at IHiS did not have adequate training in cybersecurity" and that this deficiency was not confined to front-line technical staff but extended to management layers who did not create an environment in which cybersecurity vigilance was systematically reinforced.

This finding echoed a broader observation about the relationship between institutional culture and cybersecurity in Singapore's public sector: that the concentration of IT expertise in centralised bodies like IHiS could paradoxically create blind spots, because the assumption that a specialist entity was managing security could reduce vigilance among the clinical and administrative staff who were closest to the data and the systems.

Failure 2 — Absent or Inadequate Intrusion Detection Capability: The COI found that IHiS did not have an adequate capability to detect the type of intrusion that was being conducted. The network monitoring and security operations centre capability that existed was insufficient to identify the combination of compromised credentials, lateral movement, and targeted database queries that characterised the attack. The COI noted that the eventual detection of the attack on 4 July 2018 occurred because a database administrator noticed anomalous queries manually — not because an automated detection system raised an alert. This manual detection, while creditable, was not a substitute for systematic monitoring. The COI recommended that IHiS implement enhanced network traffic monitoring, endpoint detection and response capabilities, and database activity monitoring.

Failure 3 — Failure to Patch Known Vulnerabilities: The COI found that systems within the IHiS network were running with known, unpatched vulnerabilities at the time of the attack. The COI's report identified that certain systems had not been patched in a timely manner, creating exploitable entry points that a sophisticated attacker could use for lateral movement or privilege escalation. Patching delays in enterprise healthcare IT are a known systemic challenge globally, as healthcare systems frequently run specialised clinical applications that cannot be patched without extensive compatibility testing; nonetheless, the COI found that IHiS's patching programme was inadequate relative to the risk environment.

Failure 4 — Inadequate Privileged Access Management: The COI found that privileged administrative accounts — accounts with the ability to query and modify the SCM database — were not adequately controlled. The principle of least privilege — under which administrative credentials should be restricted to the smallest number of accounts necessary, with each account having only the access required for its specific function — was not properly implemented. This meant that once the attacker had compromised a workstation and harvested credentials, the path to administrative database access was shorter than it should have been in a well-configured environment. The COI recommended specific improvements to privileged access management, including the removal of unnecessary administrator accounts, multi-factor authentication for privileged access, and more rigorous audit logging of administrative actions.

Failure 5 — Defective Incident Reporting and Escalation Process: This was perhaps the most operationally consequential failure category identified by the COI. The report found that when the database administrator detected anomalous activity on 4 July 2018 and escalated internally, the escalation did not reach the Cyber Security Agency until 10 July 2018 — a six-day gap. The COI examined why this gap occurred and found that the escalation path within IHiS and between IHiS and CSA was unclear, under-practised, and not supported by an effective incident classification framework. The first-level escalation within IHiS management on 4 July was treated as an internal IT security matter requiring investigation before external notification, rather than as a confirmed incident requiring immediate regulatory escalation. The COI noted that the definition of a "reportable incident" under IHiS's operational procedures was ambiguous and that staff at the management level who received the initial report did not have the decision-making framework to determine that notification to CSA and MOH was immediately required.

IHiS-Specific Vulnerabilities: Beyond the five systemic failure categories, the COI identified specific architectural vulnerabilities in IHiS's network design. The network segmentation between the workstation environment and the database server tier was insufficient to prevent lateral movement by an attacker who had compromised workstation credentials. The SCM database server was accessible from a wider set of network segments than the principle of least-privilege network design would require. The COI recommended network redesign to impose more restrictive segmentation, so that even a compromised workstation would not provide a pathway to database server access without additional access controls.

The SingHealth-IHiS governance gap: The COI also examined the governance relationship between SingHealth (as data controller) and IHiS (as data intermediary). Under the PDPA framework, a data controller that engages a data intermediary to process personal data on its behalf remains responsible for ensuring that the intermediary provides adequate protection. The COI found that SingHealth did not have adequate oversight of IHiS's cybersecurity practices — there was no formal cybersecurity audit regime, no contractual cybersecurity performance requirements binding on IHiS, and no mechanism by which SingHealth's clinical and management leadership received regular assurance about the security of the systems in which their patients' data was held. This governance gap would be directly addressed by the PDPC enforcement decisions issued five days after the COI report.

9. PDPC Enforcement — SingHealth and IHIS Financial Penalties

The Personal Data Protection Commission's enforcement action against SingHealth and IHiS, decided on 15 January 2019, was the most significant data protection regulatory action in Singapore's history at the time of issuance and represented an important jurisdictional test: could the PDPC impose penalties on entities that, while private-sector companies in legal form, were wholly owned by the Ministry of Health Holdings and operated as de facto organs of public healthcare delivery?

Jurisdictional analysis: SingHealth Pte Ltd is a private limited company, albeit one wholly owned by MOH Holdings (MOHH), which in turn is wholly owned by the Ministry of Finance on behalf of the Government of Singapore. IHiS is similarly a private limited company, wholly owned by MOHH. Under section 4(1)(c) of the PDPA, public agencies — defined to include government ministries, organs of state, and statutory bodies — are excluded from the Act's data protection provisions. But SingHealth and IHiS, as private companies, fall outside the statutory definition of "public agency" even though they are state-owned. This meant that the PDPC's jurisdiction was legally available, and the PDPC exercised it.

This jurisdictional determination had significant policy implications. The government's position, articulated in the original PDPA drafting rationale, was that the public-sector exclusion was justified because public agencies operated under separate governance frameworks. The SingHealth enforcement demonstrated that this rationale did not extend to state-owned entities operating in corporate form: entities that had chosen to incorporate as private companies, even with public ownership, were subject to PDPA obligations. The case thus drew a line that implicitly acknowledged the risks created by the public-agency exclusion: the same protections that private citizens enjoyed against private companies extended to state-owned corporate entities, even if not to government agencies directly.

The penalty against SingHealth (S$250,000): The PDPC found that SingHealth, as the data controller for the 1.5 million patient records, had failed in its obligation under section 24 of the PDPA to make reasonable security arrangements to protect personal data against unauthorised access. The PDPC assessed SingHealth's failure as primarily one of governance and oversight: SingHealth had not ensured that IHiS, as its data intermediary, was implementing adequate security measures, and SingHealth's management had not taken adequate steps to understand or oversee the cybersecurity posture of the systems holding its patients' data. The S$250,000 penalty against SingHealth reflected its status as the data controller with ultimate accountability but acknowledged that IHiS bore more direct operational responsibility for the technical failures.

The penalty against IHiS (S$750,000): The PDPC found that IHiS, as the data intermediary processing SingHealth's patient data, had failed in a series of specific technical and procedural obligations. IHiS bore the heavier penalty — three times the amount imposed on SingHealth — reflecting the PDPC's finding that IHiS had direct operational responsibility for the systems that were compromised and was the entity whose specific security failures (inadequate patching, weak access controls, inadequate monitoring, defective incident escalation) had enabled the attack to succeed. The combined S$1 million penalty was structured to hold both entities accountable: the controller for governance oversight failures, the processor for operational failures.

Significance of the combined S$1 million penalty: The combined penalty was the maximum available under the PDPA before the 2020 amendments, which raised the ceiling to 10% of annual Singapore turnover or S$1 million, whichever is higher. The fact that the PDPC imposed the maximum — or close to the maximum — sent a clear signal that the SingHealth breach was treated as the most serious data protection failure the Commission had encountered. The enforcement decision was published in full, including its technical analysis of the failures, making it a reference document for compliance officers, healthcare administrators, and cybersecurity practitioners across the Singapore economy.

Downstream regulatory changes: The PDPC enforcement action was one of several factors that contributed to the PDPA Amendment Act 2020, which significantly increased maximum penalties and introduced mandatory breach notification timelines. The 2018 SingHealth breach had demonstrated that the pre-2020 penalty ceiling of S$1 million was insufficient to create meaningful financial deterrence for large organisations — S$1 million was a small fraction of the operational budgets of SingHealth or IHiS. The post-2020 turnover-linked ceiling was designed to make the potential penalty scale with the organisation's resources.

10. The Digital Defence Pivot — Total Defence Sixth Pillar Addition

The addition of Digital Defence as the sixth pillar of Total Defence on 15 February 2019 was the most symbolically significant governance response to the SingHealth attack. It located cybersecurity not within the technical domain of IT departments or regulatory agencies but within the existential framework through which Singapore conceptualises national survival.

Total Defence as a governance framework: Total Defence was introduced in 1984 under the Ministry of Defence, drawing on the Swiss model of national resilience. Its founding five pillars — Military, Civil, Economic, Social, and Psychological Defence — were designed to move defence from a purely military concept to a whole-of-society obligation. Total Defence Day is observed annually on 15 February, the anniversary of Singapore's fall to Japanese forces in 1942 — deliberately chosen to anchor the framework in Singapore's most traumatic collective memory and to invest it with the emotional weight of existential threat. The Total Defence framework is taught in schools, referenced in national service training, and invoked regularly by political leaders as a way of framing diverse policy domains — from economic resilience to racial harmony — within the overarching vocabulary of national survival.

The decision to add a sixth pillar: The Ministry of Defence's announcement on 15 February 2019 that Digital Defence would become the sixth pillar of Total Defence was understood by commentators and officials alike as a direct response to the SingHealth attack. The framing of the announcement was explicit: in an age when critical services — healthcare, transport, banking, water, energy — were dependent on digital systems, the compromise of those systems represented a threat to national security equivalent to physical attack, economic disruption, or social fracture. Digital Defence was defined to encompass three dimensions: being digitally literate (understanding digital threats and safe digital practices), being proactive (actively protecting one's digital presence and that of one's organisation), and being resilient (able to respond and recover from digital attacks or disruptions).

Why this framing matters: The elevation of cybersecurity into the Total Defence framework had practical consequences beyond symbolism. It created an obligation on the Ministry of Education to integrate Digital Defence content into school curricula alongside the existing Total Defence modules covering the other five pillars. It gave MINDEF and CSA a shared platform for public communications on cybersecurity, embedding digital resilience in the national service training context. It created a political vocabulary in which cybersecurity failures — such as the SingHealth breach — could be framed as failures of national defence readiness rather than merely technical IT failures. This vocabulary shift had implications for accountability: an IT failure is a management problem; a national defence failure is a political and strategic problem.

SGSecure and the civilian dimension: The Digital Defence pillar complemented the SGSecure programme, launched in September 2016, which sought to mobilise the civilian population in counter-terrorism readiness and crisis response. SGSecure had already built infrastructure for civilian engagement in national security — training community first responders, building inter-racial cohesion as a counter to terrorism's divisive effects. The Digital Defence pillar extended this infrastructure into the cyber domain, positioning cybersecurity as a citizen responsibility analogous to knowing how to respond to a public emergency.

Subsequent implementation: In the years after the February 2019 announcement, the Digital Defence pillar was integrated into school-level Total Defence Day activities, which had previously focused on the five existing pillars through exercises such as civil emergency drills, economic scenario games, and social cohesion activities. CSA launched public campaigns under the Digital Defence banner emphasising password hygiene, phishing recognition, software update habits, and sceptical information consumption. The inter-agency collaboration between MINDEF, CSA, MCCY, and MOE in operationalising the Digital Defence pillar reflected the whole-of-government coordination that the SingHealth attack had demonstrated was necessary.

11. The Doctrinal Inheritance — Cybersecurity Act 2018, CSA Architecture, and the Public Sector Data Security Review

The SingHealth attack did not create Singapore's cybersecurity governance architecture — the Cybersecurity Act 2018 had been passed four months before the attack — but it validated and accelerated that architecture, revealing gaps that the Act's designers had not fully anticipated and driving a second-generation set of reforms that extended well beyond the immediate remediation of IHiS's failures.

The Cybersecurity Act 2018 and its relationship to the SingHealth attack: The Cybersecurity Act was passed by Parliament on 5 February 2018, four and a half months before the SingHealth exfiltration window of 27 June – 4 July 2018. This sequencing — statute before incident — is significant: it meant that the legal framework for handling CII incidents existed, but the incident revealed how it operated under real conditions and where its practical limitations lay. The Act's mandatory incident reporting obligation — requiring CII owners to report specified incidents to CSA within hours — was not fully operative at the time of the attack because the Act's commencement date was 31 August 2018, after the attack had already been contained. IHiS's obligation to notify CSA therefore operated under the pre-Act advisory framework, explaining some of the procedural uncertainty around the six-day notification gap.

The SingHealth attack had the practical effect of sharpening the implementation of the Cybersecurity Act's CII regime in the healthcare sector. CSA accelerated the formal designation of healthcare IT systems as CII following the attack, and IHiS became one of the first designated CII owners to undergo the full rigour of the Act's biennial audit and risk assessment obligations.

The Public Sector Data Security Review Committee (November 2019): The most significant governance reform triggered by the SingHealth attack beyond the immediate COI recommendations was the November 2019 report of the Public Sector Data Security Review Committee, chaired by Deputy Prime Minister Teo Chee Hean. This committee, established in the wake of SingHealth to examine the data security posture of the entire public sector, went far beyond IHiS and SingHealth to assess the data protection practices of all government ministries, statutory boards, and public-sector entities.

The committee's thirteen recommendations addressed: mandatory data security policies across all public agencies; designated Chief Data Officers with accountability for data governance; automated monitoring of data access and anomaly detection; tiered access controls based on data sensitivity; regular penetration testing by independent external parties; and incident response exercises. The Public Sector (Governance) Act 2018 was amended to introduce new criminal offences for public officers who misuse, unauthorised-disclose, or re-identify personal data, with penalties of up to S$5,000 fine and two years' imprisonment. The committee's report effectively created a public-sector equivalent of the PDPA regime — one administered through the Smart Nation and Digital Government Office rather than the PDPC, but with similar substantive obligations and penalties.

Cybersecurity budget uplift: Post-SingHealth, the Singapore government committed substantial additional funding to cybersecurity across the public sector. Budget announcements in 2019 and subsequent years referenced a S$1 billion-plus government investment in cybersecurity over the following years, though specific allocations across agencies were not publicly disaggregated. The uplift funded enhanced security operations centre capacity, endpoint detection and response technology, network monitoring tools, staff training, and independent security audits across CII-designated entities.

The Cybersecurity (Amendment) Act 2024: The 2024 amendments to the Cybersecurity Act — passed on 7 May 2024 — can be read as the second-generation legislative response to the SingHealth attack's lessons. The 2024 amendments extended CSA's regulatory perimeter to three new categories: Systems of Temporary Cybersecurity Concern, Entities of Special Cybersecurity Interest, and Foundational Digital Infrastructure (cloud and data-centre services). The extension to cloud infrastructure was directly responsive to the structural vulnerability revealed by SingHealth: the original CII regime assumed that designated systems were owned and operated by the designee, but the migration of healthcare and other systems to cloud platforms meant that a third-party cloud provider could be the proximate point of vulnerability even for a designated CII owner. See SG-D-32 for the full analysis of the cybersecurity governance architecture.

12. Conclusion

The SingHealth cyberattack of 2018 was, in the vocabulary that Singapore's governance culture most values, a forcing event: an incident that revealed truths about institutional performance that could not have been surfaced through routine review, and that generated political will for reforms that would otherwise have taken years to implement.

The incident combined several properties that gave it unusual governance leverage. It was large in scale — 1.5 million patients, approximately a quarter of Singapore's resident population. It was politically sensitive — the Prime Minister's records were specifically targeted. It was attributable to systemic organisational failures rather than exotic technical capabilities — the COI's findings of inadequate training, absent monitoring, delayed escalation, and weak access controls were things that any well-run IT organisation could correct. And it occurred against the backdrop of a Cybersecurity Act that had literally just been passed, making it simultaneously a test of new legal infrastructure and a demonstration of the gap between statutory design and operational reality.

The COI chaired by Richard Magnus was exemplary in its transparency and analytical rigour. Singapore has a strong tradition of post-incident Committees of Inquiry — the Mas Selamat escape (see SG-C-24), the Nicoll Highway collapse (see SG-C-15), the 2011 MRT breakdowns (see SG-C-26) — and the SingHealth COI upheld and arguably exceeded that tradition. The willingness to publish a detailed technical account of how a state-linked actor had breached the country's largest healthcare system, and to identify the specific organisational failures that enabled the breach, represented an unusual degree of institutional self-disclosure. Whether this transparency was primarily principled or primarily strategic — building public trust through acknowledged accountability — is a reasonable analytical question, but the functional effect was a high-quality public record that served the governance learning interest.

The limitations of the governance response are also worth noting. The non-attribution posture — declining to publicly identify the state-linked actor despite the Symantec Whitefly analysis — reflects the structural constraints that small-state strategic doctrine imposes on Singapore's accountability culture. Singapore can be transparent about its own failures; it is more constrained in its ability to publicly assign blame to external actors, particularly major powers. The PDPC penalties, while historically large at the time, were modest relative to the operational scale of SingHealth and IHiS, and the pre-2020 PDPA penalty ceiling was demonstrably inadequate as a deterrent for organisations of this size — a gap the 2020 amendments corrected.

The Digital Defence sixth pillar addition represents the most durable symbolic legacy of the attack. By embedding cybersecurity within the Total Defence framework — the deepest civic vocabulary in Singapore's national security discourse — the government signalled that cyber resilience is not a technical problem to be managed by specialists but a democratic obligation shared by every citizen, employer, and institution. Whether this symbolism translates into operational reality — whether the 1.5 million patients whose records were stolen in 2018 are meaningfully more cyber-resilient in 2026 — is an empirical question that Singapore's governance culture is not always comfortable asking aloud. But the framing itself was a significant act of governance imagination: an acknowledgment that the kind of attack Singapore had suffered was not an anomaly, but a new permanent condition of modern statehood.

Spiral Index

The SingHealth cyberattack sits at the intersection of five thematic threads that run through this corpus:

  1. The accountability architecture — The COI → PDPC → parliamentary statement sequence mirrors the layered accountability mechanisms applied to the Mas Selamat escape (SG-C-24) and the 2011 MRT breakdowns (SG-C-26): fact-finding, regulatory enforcement, and parliamentary scrutiny as parallel rather than sequential accountability channels.

  2. The PDPA architecture and its public-sector boundary — The enforcement action against SingHealth and IHiS tested and confirmed the PDPA's jurisdictional boundary at the private-company-public-ownership interface; see SG-D-31 for the full PDPA governance analysis.

  3. The cybersecurity governance architecture — The Cybersecurity Act 2018, IHiS as a CII-designated operator, and the 2024 amendments are analysed in SG-D-32, to which this document is a primary case study.

  4. The Total Defence doctrine — The Digital Defence sixth pillar addition is the cybersecurity dimension of the Total Defence evolution analysed in SG-I-20; the social and psychological mobilisation dimension connects to SG-D-29 (SGSecure).

  5. The small-state strategic posture — The non-attribution decision in the face of a state-linked intrusion against the head of government is a specific instance of the vulnerability philosophy and small-state doctrine analysed in SG-M-03 and SG-F-01.

Status: [COMPLETE]

Referenced by (2)

Next →

SG-C-28: The April–June 2020 COVID Circuit Breaker — Singapore's First National Lockdown Decision (2020)

← Back to Chronological Events
Spotted an error? This archive is AI-generated research and may contain factual mistakes. We welcome corrections, wiki-style — email haojun@ontheground.agency with the page URL and the issue. Haojun takes personal responsibility for reviewing every piece of feedback and using it to fix the website.