You are here

Policyholders' data in AXA's health portal breached

Insurer apologises, says it has secured its portal and is reviewing its IT systems; police report made, MAS also investigating

The wave of cyber attacks on businesses has claimed another victim: Insurer AXA Singapore has had its health portal hacked into, and the personal data of 5,400 past and present policyholders compromised.


THE wave of cyber attacks on businesses has claimed another victim: Insurer AXA Singapore has had its health portal hacked into, and the personal data of 5,400 past and present policyholders compromised.

Following this cyber attack some months ago, AXA sent out an e-mail alert on Thursday, signed by its data-protection officer Eric Lelyon. In it, he apologised for the breach, and said the data exposed comprised the customers' e-mail address, mobile number, policy number of the health plan transacted and date of birth.

He said AXA has "confirmed that no other personal data was exposed"; particulars such as name, identification number, address, credit card or bank information, health status and claims history, among other details, were not compromised.

Market voices on:

No further action is required of the affected individuals because " the information that was compromised is not likely to, on its own, expose you to identity theft", Mr Lelyon wrote.

Together with the alert, AXA sent out an advisory to warn affected individuals to be vigilant, because the hacker or hackers could try phishing additional information from them.

AXA has filed a report; the police told The Business Times that "investigations are ongoing".

Jean Drouffe, chief executive of AXA Singapore said in a statement on Thursday: "AXA takes customer privacy very seriously, and we apologise to all our customers impacted by this incident. We wish to assure our customers that our health portal is now secure. A thorough review of our IT systems is under way. No financial or health data was compromised.

"On its own, the compromised data will not result in identity theft, but we nonetheless see the importance of alerting our impacted customers to be vigilant against potential phishing and risk of identity theft."

He said that the insurer has notified most of its affected customers and will reach the remaining ones by Friday. He added that customers who wish to contact AXA for information may do so through its hotline, +65 6880 5588, or by e-mailing

The Monetary Authority of Singapore (MAS), told of the breach, said: "MAS has asked AXA to initiate a thorough review of its IT security and to remediate control gaps. We understand that AXA has taken steps to address the vulnerability in its health portal. MAS takes a serious view of this incident and is investigating the matter."

When contacted, Anthony Lim, principal consultant at cyber security company Fortinet, noted that of the four pieces of information compromised, two were communication methods and the other two, pertinent data. This leaked information would make any phishing attempt more convincing, he said.

"Ninety per cent of people don't know what their insurance policy numbers are and that's scary, because the hackers can send a phishing e-mail with the correct policy number and sound authentic.

"The problem right now is that even if the insurer has a real electronic-notification exercise, customers won't take it seriously."

His advice to those affected is to ignore all electronic communication from the insurer relating to the affected policy or the portal. This could pose a problem to the insurer, but Mr Lim quipped: "It's okay to ignore, because when has anything important been done through e-mail?"

The Singapore edition of PwC's Global State of Information Security Survey (GSISS) 2017 reported that more than 80 per cent of businesses here have detected at least one security incident in the last 12 months. In more than a third of these breaches (35 per cent), customer records were compromised.

The study, done between April 4 and June 3 last year, stated that about 40 per cent of the 79 executives polled said their organisations had fallen victim to phishing in the past 12 months, making it the most pervasive cyber security and privacy threat faced by organisations in Singapore, the Asia-Pacific and globally.

In a 2016 report, PwC said a third (33 per cent) of businesses in Singapore had estimated that between S$100,000 and S$499,999 in financial losses came from security incidents.

The Cyber Security Agency of Singapore (CSA) said: "CSA is aware of the data breach of AXA's systems. We understand that the matter is still under investigation. Nevertheless, this incident is a reminder that companies that collect and hold customer data are an attractive target for cyber criminals. Hence, they need to make the appropriate risk assessment, prioritise cyber security and adopt pro-active measures to better protect themselves against cyber attacks."

AXA's cyber security incident comes to light two weeks after Singapore's financial sector underwent simulated terrorist and cyber attacks to check on the soundness of the plans in place for a crisis. The exercise involved 139 financial institutions such as banks, insurers, finance companies, industry associations, the Singapore Exchange and MAS.

This is not the first data breach involving an insurer. Last October, printer Toh-Shi Printing Singapore, hired by Aviva, was fined S$25,000 by the Personal Data Protection Commission Singapore (PDPC) for data breaches involving the insurer's policyholders. Nearly 7,800 policyholders received erroneous statements that disclosed the personal data of 8,022 individuals, including the policyholders' dependants.