Singtel says standalone third-party file-sharing system hacked

SINGAPORE Telecommunications (Singtel) on Thursday said unidentified hackers illegally attacked a third-party standalone system it uses to share information internally and with external stakeholders.

Customer information may have been compromised, the telco said in a bourse filing. It also noted that this is an isolated incident and its core operations remain unaffected.

Third-party vendor Accellion informed Singtel that the file-sharing system called FTA was hacked as part of a "wider concerted attack" against the system's users.

The enterprise content firewall provider said in a Feb 1 press statement that FTA, a 20-year-old product nearing the end of its life, was the target of a "sophisticated cyberattack".

It notified all FTA customers of the attack on Dec 23, 2020. The initial incident, which occurred in mid-December, was the beginning of a concerted cyberattack on the system which continued into January 2021.

In response to queries from The Business Times on the reason for the delay in the disclosure, a spokesperson from Singtel said Accellion had only informed Singtel of a potential breach after a patch applied on Jan 30 triggered an anomaly alert (see timeline). "Given the complexity of the investigations", it was confirmed only on Feb 9 that files were taken.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Timeline of events

• Dec 23, 2020: Accellion informs FTA users about zero-day vulnerability.
• Dec 24, 2020: Singtel installs Accellion patch to plug vulnerability
• Dec 27, 2020: Singtel installs last available patch provided by Accellion; no further patch provided after this date.
• Jan 23, 2021: Accellion cites new vulnerability that Dec 27 patch is not effective against. Singtel immediately takes system offline.
• Jan 30, 2021: Singtel attempts to install new patch to plug new vulnerability but receives an anomaly alert. System kept offline and investigations activated which confirmed Jan 20 breach.
• Feb 9, 2021: Singtel establishes that files were taken as a result of the breach.

At this time, Accellion has patched all known FTA vulnerabilities exploited by the attackers. It has added new monitoring and alerting capabilities to flag anomalies associated with the attack vectors.

Singtel said it has suspended all use of the system and activated investigations, working closely with cybersecurity experts and the relevant authorities, including the Cyber Security Agency of Singapore - which is providing additional guidance.

The telco is conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed, it said. Its priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks.

"We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed," Singtel added.

In its statement, Accellion said all vulnerabilities are limited exclusively to FTA. The company is known for its kiteworks platform - an enterprise content firewall which prevents data breaches and compliance violations from sensitive third-party communications. A majority of its clients reside on the platform, which is built on an entirely different code base. 

Frank Balonis, Accellion’s chief information security officer, said: “We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks.”

Accellion’s customers include government agencies, financial services providers, healthcare players and technology groups, according to its website. These include Deloitte, KPMG, Wirecard, the US Securities and Exchange Commission, the UK’s NHS, Nasa and Intel, to name a few.

Singtel is not the first of Singapore companies plagued by data breaches and cyberattacks. Just in October 2020, the personal information of 1.1 million RedMart accounts was stolen in a Lazada data breach.

The month before, cashback company ShopBack and budget hospitality firm RedDoorz said they were investigating data breaches of their IT systems that might have compromised their customer’s personal data. Millions of user data records from ShopBack and RedDoorz were allegedly advertised for sale on underground hacker forums, BT later reported.

Other companies have also come under fire for leaving their systems vulnerable. Singapore's privacy watchdog meted out a S$10,000 fine to ridehailing firm Grab for a 2019 update to its mobile app put the data of more than 21,000 drivers and passengers at risk of unauthorised access. 

A severe misconfiguration also caused gaming hardware firm Razer to potentially expose the personal data of about 100,000 global customers. 

Singtel shares closed at S$2.38 on Thursday, down 0.8 per cent or S$0.02. 

READ MORE: 

• Singapore should adopt 'zero-trust' cybersecurity posture to safeguard against cyberattacks: Iswaran
• Penalties for data breaches should hit firms harder in the pocket
• Heavier fines for data breaches, more support for legitimate uses under amended PDPA