Data breach: Roughly 129K of Singtel customers’ personal information leaked

Around 1,29,000 Singtel customers’ personal information has been leaked following a recent breach on a third-party file-sharing system. This included customers’ names, date of birth, mobile numbers, and addresses. Singtel completed their initial investigations into the recent breach and established the files on the Accellion FTA system that were being accessed illegally. 

Besides the personal information, 23 enterprises also have been impacted, like the suppliers, partners and corporate customers. The bank account details of 28 former Singtel employees and the credit card details of 45 staff of a corporate customer with Singtel mobile lines also were leaked. 

Singtel said that a large part of the leaked data includes its internal information which is non-sensitive like data logs, test data, reports and emails. In a press statement, Singtel mentioned that based on the investigations and analysis by cybersecurity experts, it seems like the data taken includes customer information consisting of different combinations of personality identifiable information. 

“While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves,” said Singtel’s Group CEO Mr Yuen Kuan Moon. “Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge. We are doing our level best to keep our customers supported in mitigating the potential risks.”  

Singtel is also appointing a global data and information service provider that will help in identity monitoring services at no cost to affected customers that will help in managing potential risks. 

Yuen added, “I’d like to thank our customers and partners for their patience and understanding as we continue our cyber and criminal investigations to understand the full extent of this breach. I want to emphasise that our core operations and functions remain unaffected and sound and this incident involves a standalone system provided by a third-party vendor. Information security remains our highest priority and you have my commitment that we are conducting a thorough review of our systems and processes to strengthen them.”  

Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group, commented on the breach, saying: “Defining a highly effective security strategy is not only about keeping attackers away from your resources; it’s also about preparing for potential worst case scenarios in the event that attackers do succeed. As recent events have shown us, Singtel and their file-sharing supplier, Accellion, were prepared.”

Upon the realisation of having been breached, Accellion notified customers, issued a press release disclosing the situation, and notified authorities. They’ve halted the use of the breached system so that they may take appropriate steps to investigate how the breach took place and the resulting impact to their business and their customers.”

According to Cipot, organisational security strategies must account for all internal and external resources in use. “The level of maturity that your vendors’ security strategies have implemented can directly affect your organisation’s security stance as well, as this event has illustrated,” he suggested.

In the last couple of years, Singtel is among the companies that have been affected by cyberattacks. Others include RedMart, COURTS, ShopBack, Marriott International, Zero 1, and Love, Bonito. The Government of Singapore had proposed to issue a fine of up to 10 percent of a company’s turnover or S$1 million, if an organization was found guilty of a data breach.