Singapore-based mobile and internet services provider MyRepublic reported on Friday, September 10, that the personal data of about 79,400 of its mobile subscribers were accessed by hackers.
The data breach was discovered on August 29, with an unknown external party obtaining unauthorised access to a third-party data storage platform used by MyRepublic to store identity verification documents relating to the application for mobile services.
According to MyRepublic, the data breach affects only mobile subscribers based in Singapore.The affected data storage platform contained the following identity verification documents related to customer applications for mobile services:
- For affected Singapore citizens, permanent residents, and employment and dependent pass holders – scanned copies of both sides of National Registration Identity Cards (NRIC). This includes name, address, date of birth, gender, race, place of birth, full NRIC number, photograph, thumbprint, date of card issue and (for employment passes and dependent passes) employer and nationality.
- For affected foreigners – proof of residential address documents (e.g. scanned copies of a utility bill, tenancy agreement or insurance policy), including name and address.
- For affected customers porting an existing mobile service – name and mobile number.
MyRepublic said there is no indication that other personal data, such as account or payment information, was affected. It has notified the Infocomm Media Development Authority and the Personal Data Protection Commission of the issue, and will continue to cooperate with those authorities.
MyRepublic has also activated its cyber incident response team, which includes external expert advisors such as KPMG in Singapore, to work closely with MyRepublic’s internal IT and Network teams to resolve the incident.
The Singapore-based telco said it will provide all affected customers with an offer to take up a complimentary credit monitoring service through Credit Bureau Singapore (CBS). Under this service, CBS will monitor MyRepublic customers’ credit reports and alert them of any suspicious activity.
Breach implications
Commenting on the incident, Alex Lei, Senior Vice President, APJ at Proofpoint says, “Should personal information that was accessed be leaked, there could be a marked increase in smishing attacks, as well as identity fraud. We have seen text mobile scams grow during the pandemic, with cybercriminals using fraudulent branding combined with urgency and a request that a user click a malicious link. Consumers trust mobile messaging and they are much more likely to read and access links contained in text than those in email. This level of trust paired with the reach of mobile devices makes the mobile channel ripe for fraud and identity theft.”
Joanne Wong, Vice President, International Markets at LogRhythm believes that such cyberattacks are now far from being the exception. “As Singapore ramps up momentum as a digital economy, the challenge has always been in securing our digital operations for the long-run. That being said, the telco industry is one that we can expect to have a bigger target on its back, given their access to a wide consumer database and critical role in maintaining communications infrastructure,” she observed.
Sumit Bansal, Managing Director of ASEAN and Korea at Sophos, maintains that it is becoming increasingly important to ensure that an organisations’ technology landscape is protected. “The infocomm and technology sector has always been critical to our lives, but over the past year its significance has increased dramatically as Singapore fights against the pandemic, and we all become heavily reliant on our mobile devices,” he said. “Sadly, this hasn’t stopped cybercriminals targeting the sector. We regularly see telecommunications as one of the top sectors prone to cyberattacks as personal details such as home addresses and identification records are highly prized by cybercriminals, so the warning signs are definitely there.”
Wong added: “As a digital-first nation, we need to get better at fending against these threats. We know from experience that there can be far-reaching implications of a single weak link, and cannot sit still and watch the same incidents happen time and time again. Organisations, especially in these essential sectors – need to be proactive and have oversight across their entire digital supply chain, including any third party vendors. Only when there is constant monitoring and surveillance, can they effectively identify and remediate threats with speed.”
Protection against attacks
“This goes hand in hand with the “assume breach” mindset, where we adopt a zero-trust philosophy,” Wong added. “Verification at every step ensures that only trusted identities have access to data and information, and incidents like these can be nipped in the bud from the onset.”
Lei recommends that users first ensure they are on the Do Not Call Registry and re-confirm their entry even if they believe that they previously signed up, as the registry also applies to text messages. “Consumers need to be very skeptical of mobile messages coming from unknown sources and should never click on links in text messages, no matter how realistic they look,” he advised.
“If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the web address or URL,” said Lei. “For offer codes, type them directly into the site as well. It is also vital that you do not respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers.”
Bansal thinks that while the root causes of the attack on MyRepublic are still unclear, it serves as another reminder for the industry to improve its cyber resilience by investing in cybersecurity infrastructure to thwart attacks as well as cyber-awareness training for all employees.
“Although none of the service providers’ systems were affected, this latest attack has caused unnecessary distress to customers whose personal data was accessed and shows that cybercriminals know no boundaries and will do anything to wreak havoc. Mobile and internet service providers must leave no stone unturned to protect their technology infrastructure,” Bansal concluded.