StarHub and real estate group OrangeTee fall victim to data breaches

StarHub and OrangeTee have recently fallen victim to data breaches. According to the telco, personal information of more than 57,000 customers subscribed to StarHub before 2007 was discovered to have been uploaded illegally on a third-party data dump website. This surfaced following an online surveillance check on 6 July by its cybersecurity team. 

According to StarHub, the personal data is estimated to be around 14 years old, and the data file comprises identity card numbers, mobile numbers, and email addresses. No credit card or bank account information is at risk nor StarHub information systems or customer database compromised. At this time, StarHub said there is no indication that any data in this document has been maliciously misused.

The telco also attempted to have the document removed from the data dump site, and has since implemented a series of actions to protect customers’ interests from 6 July. Namely, activating an incident management team, engaging digital forensic and cybersecurity experts to launch an investigation as well as reviewing existing security measures to protect its core infrastructure and systems. At the same time, StarHub is progressively notifying affected customers via email.

To safeguard the identity and personal information of affected customers, StarHub is offering six months of complimentary credit monitoring service through Credit Bureau Singapore, expected to complete by 20 August. While StarHub said there is no evidence to-date that the said data has been used inappropriately, it is encouraging affected customers to sign up for this service after receiving its email notification.

CEO of StarHub Nikhil Eapen apologised for the incident, assuring that StarHub will be transparent and keep customers updated. He also said that the telco is “actively reviewing current protection measures and controls in order to implement and accelerate long-term security improvements”.

“Ensuring security is a key area we constantly work on for our customers. We have made substantial cybersecurity investments over the years, shoring up our cyber defences, and we will continue to stay vigilant in safeguarding our infrastructure and IT systems against cyber threats. We also work closely with the regulators on an integrated cyber posture that protects not only StarHub but our retail and enterprise customers as well. We assure our customers that StarHub will continue to take all protective measures to ensure their information is safe with us,” added Eapen. 

Meanwhile, real estate company OrangeTee’s holding company OT Group also fell victim to a data security breach on 6 August after it said it received an email from a third-party, claiming to have accessed its IT network. The Group said in a statement that it has reported the incident to relevant authorities and has also launched an investigation to assess if internal data could be compromised. The group said that it is currently working closely with cybersecurity experts to ascertain the nature and extent of the breach. 

“Following the investigation, we will conduct a thorough review of our systems and processes to determine additional security measures that we can undertake to fortify them,” added OT Group.

OrangeTee was established in 2000 and merged with real estate consulting firm Edmund Tie & Company to form OrangeTee & Tie in 2017. It previously renamed itself from OrangeTee Holdings to OT Group in 2019 to reflect the unified identity with Edmund Tie & Co, as well as to reinforces its strategy to capture new opportunities in the real estate sector and advance its market position. Aside from OrangeTee & Tie, OT Group also comprises its advisory arm OrangeTee Advisory. 

StarHub and OrangeTee’s data breaches follow a slew of similar incidents this year, from companies such as NTUC, SIA, Clubhouse and Singtel, among others. In December last year, the Singapore government proposed a fine of up to 10% of a company’s annual turnover in Singapore, or SG$1 million (whichever is higher), should a company be found guilty of a data breach. According to then communications and information minister S. Iswaran, the proposed amendments sought to strike a balance between consumers’ confidence that their personal data will be secure and used responsibly and organisations’ certainty to harness personal data for legitimate purposes, with the requisite safeguards and accountability, reported The Straits Times.

Photo courtesy: 123RF

Related articles:
Analysis: PR rule book amidst a data breach
Analysis: SG govt to fine brands caught in data breaches
NTUC's e2i data breach puts 30k individuals' data at risk of exposure
SIA's KrisFlyer and PPS club fall prey to data breach
Clubhouse falls prey to security breach amidst review of data protection practices
Personal info of about 129k Singtel customers leaked in data breach