647 StanChart clients' data stolen

[SINGAPORE] The monthly statements of 647 of Standard Chartered Bank's private bank clients have been discovered on a computer belonging to alleged hacker James Raj Arokiasamy.

The police revealed last night that they had found the stolen data on the 35-year-old's laptop after arresting him last month and charging him with hacking a number of official websites.

The bank statements, which were for February this year, were stolen in March from one of the servers at Fuji Xerox Singapore, which prints these statements for StanChart's private bank clients.

To be a private banking client, StanChart customers must have at least US$2 million in assets managed by the bank. The monthly statements include information such as their account numbers, account balances and transaction details.

In a statement yesterday, the Monetary Authority of Singapore (MAS) said it was considering whether to take regulatory action against StanChart, even as it noted that the theft - believed to be the first such case here - was an isolated incident.

How the bank statements ended up in James Raj's laptop is unknown as police investigations are still ongoing. As of last night, he has not been charged for anything related to this incident.

StanChart, which made a police report on Monday, said that no unauthorised transactions had been found as a result of the theft. The bank also informed MAS that the incident had not compromised the bank's own IT systems or infrastructure.

StanChart has since contacted the affected clients "as a precautionary measure", adding that none of its wholesale banking clients, SME and retail customers have been affected.

Speaking at a hastily convened media briefing last night, StanChart chief executive officer Ray Ferguson issued an apology to all the bank's customers.

"The confidentiality and privacy of our clients are of paramount importance to us, and we take this incident very seriously. Customer data protection is our responsibility and we sincerely apologise to all our customers and specifically to our private bank clients who have been affected," he said.

Fuji Xerox CEO Bert Wong said the theft was the first in his company's history. "We share (StanChart's) concerns on the theft of information on the system, and deeply regret the incident. There was unauthorised access by a third party to the server, dedicated to Standard Chartered Private Bank, in a standalone printing facility," he said.

Despite Fuji being ignorant of the theft for eight months, Mr Wong said yesterday there has been no impact on the data of customers on any other systems of the company.

In response to separate queries by The Business Times, Fuji Xerox Global Services associate director Paul Han revealed that the data theft took place in March

. The company, however, only found out about the incident when StanChart informed it on Nov 28.

"We took action as soon as we were alerted to this. A professional forensic team has been engaged to conduct a thorough review of the unauthorised access and we have since heightened our vigilance and strengthened our security infrastructure," said Mr Han. Bound by client confidentiality, he could not say if other banks were among its clients. He would only say that "no other clients are at risk".

It is understood that Fuji Xerox Singapore is also contracted to print statements for one other non-bank financial institution (FI).

In its statement, MAS noted that, globally, FIs have been facing an "increasing number and variety" of cyber threats. "MAS takes a serious view of such threats and has stringent requirements in place for FIs to protect the security of their IT systems and confidentiality of client data," said the central bank.

These include regular vulnerability assessments, penetration tests and external audits of the effectiveness of their controls. These requirements, said MAS, apply regardless of whether such client data is processed in-house or at third-party providers.

The banking regulator added that this recent theft "underscores the need for heightened vigilance in financial institutions, including close management of risks pertaining to service providers".

MAS has since reminded all FIs to heighten their vigilance to safeguard their IT systems and customer information, including controls at third-party service providers. MAS also said it was paying "special supervisory attention" to FIs' compliance with its requirements for IT outsourcing.