Data of 129,000 Singtel customers, 23 enterprises leaked in cybersecurity breach

PERSONALLY identifiable information of 129,000 Singtel customers, including their NRIC numbers, as well as the data of 23 enterprises has been leaked in a cybersecurity breach of a third-party file-sharing system that the telco uses.

Singtel is now reaching out to all affected individual and corporate customers (including suppliers and partners) to support them in managing the risks involved. It will appoint a global data and information service firm to provide identity monitoring services for free to these affected customers, it announced in a Wednesday bourse filing after the market close. The service monitors public websites and non-public places on the internet, and notifies users of any unusual activity.

Singtel had previously disclosed on Feb 11 that unidentified hackers had illegally attacked a third-party standalone system it uses to share information internally and with external stakeholders.

In its filing on Wednesday, Singtel provided the findings of its investigation into the incident. The customer data leaked contains NRIC numbers and includes some combination of the following information: name, date of birth, mobile number or address.

In addition, the credit card details of 45 staff of a Singtel mobile lines corporate customer, as well as the bank account details of 28 former Singtel employees were also leaked.

Singtel's Group chief executive Yuen Kuan Moon apologised for the data theft by parties unknown: "I'm very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves."

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

He added: "Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge. We are doing our level best to keep our customers supported in mitigating the potential risks."

Accellion FTA, a third-party file-sharing system which Singtel used, was the target of a sophisticated cyber attack exploiting a previously unknown vulnerability. Singtel was first alerted to exploits against the system last December, following which it applied a series of patches provided by Accellion.

But on Jan 23, Accellion said that a new vulnerability had emerged, which rendered the patches applied in December ineffective. Singtel immediately took the system offline.

On Jan 30, Singtel's attempt to patch the new vulnerability in the system triggered an anomaly alert. Accellion informed the telco that the system could have been breached. Singtel's investigations later confirmed this and identified Jan 20 as the date of the breach.

On Feb 9, Singtel established that files were taken as a result of the breach and informed the public two days later.

Shares of Singtel closed at S$2.40 on Wednesday, down 0.83 per cent, before the announcement.