You are here
70,000 members' data stolen, but Sias unaware for 5 years
HACKERS stole the personal data of 70,000 members of the Securities Investors Association of Singapore (Sias) in 2013 - yet for five years, the investor advocate had no clue about the breach.
Sias was informed of the attack only on Wednesday morning when the Cyber Security Agency of Singapore (CSA) paid it an unexpected visit.
CSA - formed in 2015 and involved in the probe into the massive hacking of SingHealth - informed the association that the names, NRIC and telephone numbers of about 70,000 of its members have been stolen and leaked, sometime back in 2013.
"This is really shocking. Five years later, we come to know,'' a clearly distressed David Gerald, Sias' founder and chief executive officer, told The Business Times.
In a late night media statement, CSA said it "received a tip-off email stating that SIAS members' personal information database might have been compromised". It added that the incident was not related to the SingHealth breach.
It said that as SIAS is not a public sector agency nor Critical Information Infrastructure, the Singapore Computer Emergency Response Team (SingCERT) reached out to SIAS to inform them and asked them to verify the situation.
CSA added: "We noted that SIAS website has some vulnerabilities hackers could have exploited. We alerted SIAS about technical issues in their website design so that they can take the necessary safeguards."
BT understands that hackers could have created a code and injected it into Sias' login page, which enabled the thieves to steal the information. It remains unclear if the cyber thieves are local or foreign entities.
The news comes several days after SingHealth - Singapore's largest group of healthcare institutions - disclosed that hackers stole the personal particulars of 1.5 million SingHealth patients. Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well.
Mr Gerald said the affected SIAS records were not tampered with, ie, no records were amended or deleted.
"We are truly very sorry this had happened even though we took precautionary measures. We are now offline," Mr Gerald said.
While investigations into the breach are being conducted, Sias has disabled its website. It will be launching a new website in a couple of days, after IT experts ensure there's no lingering malware and the site has been scrubbed clean.
"What we can do is to step up the robustness of our IT processes. They can outsmart us, but we must still continue to fight them,'' Mr Gerald said.
So far, there has been no report of any harassment of Sias' members, or detection that the stolen data has been used for commercial purposes.
Eugene Lee, director of business development at Connectivity Global, a local cybersecurity startup, said smaller companies make for easy targets as they often lack the resources, expertise and technical capability to defend themselves against illegal online intrusions. They also lack access to costly enterprise systems, resulting in less sophisticated technologies.
"With email being such an established tool for communication among businesses and reaching all levels of employment, hackers can easily access confidential information or install ransomware in companies' servers through unsuspecting employees on front-end devices," Mr Lee said.