Fullerton Health falls victim to data breach

Image courtesy of Towfiqu Barbhuiya

Fullerton Health, an integrated enterprise healthcare provider headquartered in Singapore, announced on October 21 that its vendor’s server was hacked.

In a statement, Fullerton Health revealed that there has been unauthorised access into a server used by third-party service provider Agape CP Holdings, who helps make appointments for the healthcare provider.

As a result, personal data of customers were “potentially exposed”, including names, NRIC or identity numbers, contact details, and in a few cases bank account details or certain “limited” health-related information. The personal data were then put up for sale on hacking forums from October 11, but the posts were said to be taken down on October 22.

Fullerton Health confirmed that none of their IT systems and databases have been affected by the incident, and confirmed that no credit card information, passwords, or data related to COVID-19 vaccinations done at their vaccination centres were exposed.

Agape, a social enterprise, said it suspended use of their server with immediate effect, and has taken steps to prevent further compromise. Likewise, Fullerton notified the Personal Data Protection Commission and lodged a police report.

The root cause and full extent of the breach are still under investigation. Fullerton said it has engaged a team of digital forensic and cybersecurity experts to help them investigate the matter.

Fullerton Health did not disclose how many individuals and companies were potentially affected by the data breach. According to various sources, the hackers managed to steal data of about 400,000 people, including insurance policy details of Singaporeans, employers, medical history, as well as personal details of the customers’ children.

Furthermore, a document shared by the hackers came with the letterheads of Fullerton and Singapore Airlines.

Asymmetric war

Commenting on the incident, Kamal Brar, Vice President and General Manager, Asia Pacific and Japan at Rubrik says: “It is important to remember that any organisation that falls victim to a cyberattack is just that, a victim. The truth is, there is no silver bullet to stop 100% of all cyberattacks. Some of the world’s largest businesses and government agencies have also been compromised, and they would all have had the latest anti-malware and perimeter security solutions.”

“The challenge is that the fight against cyber attackers is asymmetric. An organisation needs to stop all attacks to be successful, while a hacker only needs one malicious email to be clicked to completely compromise an organisation,” Brar explained.

“With this in mind, organisations need to look beyond their perimeter defences and consider how quickly they can remediate and get their business back-up and running following an attack. The Singapore Computer Emergency Response Team explains that businesses need to maintain backup copies of their database and files on a regular basis. They further advise that businesses regularly monitor and review administrator-level accounts and privileges for access and activities,” he said.

Post-breach mindset

Eric Nagel, General Manager APAC at Cybereason, added: “The Fullerton Health data breach is a reminder about the critical need for businesses to have a post-breach mindset in combating cyber risks. What isn’t clear at this point is if Singapore Airlines was also victimised.”

Nagel recommended that everyone should assume threat actors will get in – because they eventually will – and stop them quickly. “Pushing them out of networks becomes essential to keep your customers and partners safe,” he said. “We look forward to hearing more from Fullerton in the days ahead as their insights could help other businesses from being victimised.”

“This data breach is a reminder that as consumers our personal information has been stolen many times over and sold on the DarkWeb. Only in time will consumers know if their personal information was used in an identity theft scam, or fraud was committed,” Nagel added.

Aiming at supply chains

Joanne Wong, Vice President, International Markets at LogRhythm chimed in as well: “We have been reminded, time and time again, that we cannot afford to let our guard down. In today’s increasingly connected world, organisations are inextricably linked to a network of partners that operate behind the scenes. With this comes unprecedented vulnerability; anyone could be a weak link. Moreover, malicious actors are already more likely to target smaller vendors, who tend to have limited resources and cybersecurity capabilities, as a means to gain access to larger, more influential targets like Fullerton Healthcare.”

“This attack has been particularly opportunistic, given the ongoing COVID-19 crisis and increased reliance on the healthcare industry, and serves as a stark warning for others operating in such critical sectors that they cannot take their cybersecurity for granted,” Wong noted.

“In Singapore, we are already moving towards adopting a zero-trust philosophy and an ‘assume-breach’ mindset, so that only trusted identities can access the right data and information. But we must move faster, and make even bolder moves to prioritise cybersecurity as a central plank in all our operations. Only when organisations develop a holistic cybersecurity strategy, and gain full visibility across their entire IT environment – including all their vendors – can they effectively detect and nip such threats in the bud,” she concluded.