Personal info of about 129k Singtel customers leaked in data breach

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Personal information of about 129,000 Singtel customers containing NRIC and some combination of the following information: name, date of birth, mobile number, address were leaked following a recent breach on a third-party file sharing system. The telco recently completed initial investigations into the recent breach and established which files on the Accellion FTA system were accessed illegally.

On top of personal information, 23 enterprises were also impacted, including suppliers, partners and corporate customers. Additionally, bank account details of 28 former Singtel employees and credit card details of 45 staff of a corporate customer with Singtel mobile lines were also leaked. According to Singtel, a large part of the leaked data includes the telco's internal information that is non-sensitive such as data logs, test data, reports and emails. The telco has begun notifying all affected individuals and enterprises to help them and their staff manage the possible risks involved and take appropriate follow-up action.

Nonetheless, group CEO Yuen Kuan Moon said its core operations and functions "remain unaffected and sound" and this incident involves a standalone system provided by a third-party vendor. The telco added in a press statement that it is "moving with urgency to reach out to all affected individual and corporate customers" to keep them supported on how best to manage the variable risks involved.

At the same time, Singtel is also appointing a global data and information service provider, to provide identity monitoring services at no cost to affected customers to help them manage potential risks. It explained that the service monitors public websites and non-public places on the Internet, and notifies users of any unusual activity related to their personal information.

Singtel issued a statement on 11 February saying it was informed by third-party vendor Accellion that its file sharing system called FTA had been illegally attacked by unidentified hackers. Singtel explained previously that this is a standalone system that it uses to share information internally as well as with external stakeholders.

Yuen said while the data theft was committed by unknown parties, he is very sorry this has happened to Singtel's customers and apologised unreservedly to everyone impacted. "Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves. Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge," he added.

This is not the first time Accellion FTA has fallen prey to a data breach. Last December, Singtel was first alerted to exploits against the system and promptly applied a series of patches provided by Accellion to plug the vulnerability, the last patch being 27 December. On 23 January this year, Accellion advised that a new vulnerability had emerged that rendered patches previously applied in December ineffective. Singtel immediately took the system offline.

Singtel said its attempt to patch the new vulnerability in the FTA system on 30 January triggered an anomaly alert. Accellion informed thereafter that the system could have been breached. Singtel’s investigations later confirmed this and identified 20 January as the date the breach occurred. The FTA system has been kept offline since 23 January. On 9 February, Singtel established that files were taken as a result of the breach and informed the public two days later on 11 February.

Singtel is among the companies that have fallen prey to cyber attacks in recent years. They include RedMart, COURTS, ShopBack, Marriott International, Zero1, and Love, Bonito. Last October, the Singapore government proposed to issue a fine of up to 10% of a company’s annual turnover in Singapore, or SG$1 million (whichever is higher), should a company be found guilty of a data breach. The local government also had several lapses of data breaches, including the leak of over 800,000 blood donors' personal particulars due to mishandling of data by a vendor of the Health Sciences Authority.