Wake-up call for every Singapore SME that treats data as an afterthought: a hacking collective publicly claimed a breach of Novo Nordisk, stealing more than a terabyte of data and attempting a US$25 million extortion. The scale—source code, proprietary drug information, clinical trial files, employee records—should not be shrugged off as a big-company problem. It’s a mirror held up to every small firm that thinks it’s invisible.
Why this matters to local businesses
Wake-up calls echo differently here. Singapore’s tight ecosystem means supply chains interlock quickly; one compromised vendor can cascade risk across partners, clinics, labs and logistics. The group claimed months of access, strategic file harvesting, and even deliberation about “open sourcing” stolen material rather than selling it. That’s not theatre. That’s a deliberate tactic to coerce or punish organisations that refuse to pay.
Consider the emotional fallout: patients betrayed, employees anxious, executives scrambling to explain. A single exploit can dissolve trust built over years. That damage is often far more costly than any remediation bill.
What happened — in plain terms
According to public reporting, the adversary — a relatively new threat actor — spent over two months inside networks, exfiltrating files including trial data and internal AI models. When a ransom demand was not met, talks appeared to stall. The attackers then threatened resale or release. Importantly, some categories of data were reportedly withheld by the group for what it called a “harm-reduction strategy” — but that selective restraint offers no comfort. Operational technology and production details were noted but not published; that simply creates a persistent risk vector that can be weaponised later.
“This isn’t only about extortion. It’s about the long tail: reputational harm, regulatory scrutiny, and downstream liability.”
Real-world lesson — a short anecdote
A small healthcare practice in town believed backups and a single antivirus licence were enough. A contractor’s compromised credentials opened a door. Patient files leaked. The owner woke to angry calls, directors demanding answers, and a regulator asking for a data breach report within days. Recovery took months. Business that relied on referrals never fully recovered. That story repeats across industries. It’s not hypothetical.
Immediate actions for SMEs
Calmness helps, but speed matters more. If an organisation suspects a breach, these steps must be taken without hesitation:
- Isolate affected systems to prevent further spread. Do not power them down without preserving volatile evidence.
- Preserve logs and breadcrumbs. Capture network flow, authentication logs, and timestamps. Forensically sound evidence is critical.
- Notify relevant authorities promptly — local law enforcement and national agencies. In Singapore, regulators and data protection authorities expect timely reporting.
- Engage a qualified incident response team immediately. Internal attempts to handle advanced intrusions often worsen the situation.
- Communicate transparently with affected stakeholders. Silence creates speculation; clarity restores some control.
Practical cyber hygiene that actually prevents incidents
Prevention is not mystical. It’s methodical, mundane, and occasionally unpopular. But it works. Prioritise these items and implement them now:
- Multi-factor authentication across all privileged and remote access accounts. No exceptions.
- Network segmentation. Keep production networks, OT and R&D systems isolated from general office traffic.
- Least privilege access controls. Users only get what they need — and nothing more.
- Regular patching cadence. Patch management must be measurable and auditable.
- Frequent, tested backups stored offline or air-gapped. Test restores regularly, not just once a year.
- Vendor and third-party risk assessments. Supply chains are the new perimeter.
Triage, legal and reputational playbook
When an incident occurs, legal exposure and public perception are as urgent as technical containment. Notify the data protection commission if personal data is likely exposed. Prepare an incident statement: brief, factual, and empathetic. Assign a single spokesperson; mixed messages will erode trust.
Insurance can help, but policies must be reviewed before an incident. Many claims fail because the wording doesn’t match the reality of the breach. Know the limits; don’t assume blanket coverage.
Mindset shift — from reactive to resilient
This moment must catalyse a mindset change. Accept that breaches will happen. The question isn’t if, but when. What separates survivors from headlines is preparation and sober, decisive action. That includes tabletop exercises, documented incident response plans, and empowered leadership who will fund security properly — not as a checkbox, but as a business imperative.
Fear can paralyse. Anger can motivate. Use emotion productively: convert it into governance, into budget, into training. Staff must know how to spot phishing, executives must prioritise cybersecurity in board agendas, and IT must be measured on risk reduction outcomes, not just uptime.
Final call to action
Do not assume size equals immunity. The same tactics that hit a global pharmaceutical firm can be scaled down to cripple a regional supplier or clinic. Treat this event as a blueprint of attacker behaviour. Map the gaps. Close them. Engage professional responders. Notify authorities. Communicate clearly. And above all, learn fast.
Every organisation that handles data holds a duty of care. The stakes are not abstract; they are human. Patients, customers and employees deserve better. Prompt action now prevents long, painful reckonings later.