IHiS Senior Manager Mr Ernest Tan is in charge of the cyber security of infrastructure at his company. Mr Ernest Tan told the Committee of Inquiry (COI) "I thought to myself: 'If I report the matter, what do I get?' If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide them."
In a message to an internal chat group, Mr Tan also said "Once we escalate to management, there will be no day, no night." He also claimed to have been very stressed due to his mother being hospitalized on the same day. By then, he was aware that attempts had already been made to access 100,000 patient records.
Mr Tan also claimed that he was too busy "isolating, containing and defending", one of the reasons he used when asked why he did not alert the management.
Is this the kind of people we want working on safeguarding our personal data? How can such negligence be allowed?