Personally identifiable information of at least 129,000 Singtel customers was exfiltrated following an attack on the telco’s systems via legacy FTA file sharing software from vendor Accellion.
The customer information that was exfiltrated contained National Registration Identity Card (NRIC) details and some combination of name, date of birth, mobile number and address.
Additionally, the bank account details of 28 former Singtel employees, the credit card details of 45 staff of a corporate customer with Singtel mobile lines and some information from 23 enterprises was also exfiltrated as a result of the attack and subsequent data breach.
The range and volume of the data that was exfiltrated following the attack comes as Singtel completes its initial investigations into the breach of the third-party file sharing system. The company said it had started reaching out to affected stakeholders.
“Based on investigations and analysis conducted so far with the help of cyber security experts, the company has established which files on the Accellion FTA system were accessed illegally during the breach and which stakeholders have been impacted,” Singtel said in a statement.
“The data taken includes consumer information containing varying combinations of personally identifiable information. Twenty-three enterprises have also been impacted. These include suppliers, partners and corporate customers.
“A large part of the leaked data includes Singtel’s internal information that is non-sensitive such as data logs, test data, reports and emails. Singtel has begun notifying all affected individuals and enterprises to help them and their staff manage the possible risks involved and take appropriate follow-up action,” the company added.
Singtel said it was moving with urgency to reach out to all affected individual and corporate customers to keep them supported on how best to manage the variable risks involved.
The company has also appointed a global data and information service provider to provide identity monitoring services to affected customers to help them manage potential risks – the company stressed these services would be offered at no extra cost to customers.
According to Singtel, the services on offer monitor public websites and non-public places on the internet and notifies users of any unusual activity related to their personal information.
“While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted,” Singtel’s Group CEO Yuen Kuan Moon said. “Data privacy is paramount; we have disappointed our stakeholders and not met the standards we have set for ourselves.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge. We are doing our level best to keep our customers supported in mitigating the potential risks.
“I’d like to thank our customers and partners for their patience and understanding as we continue our cyber and criminal investigations to understand the full extent of this breach. I want to emphasise that our core operations and functions remain unaffected and sound and this incident involves a standalone system provided by a third-party vendor,” he added.
Singtel first revealed the attack the resulting breach on 11 February. The legacy Accellion FTA software, which Singtel used as a third-party file-sharing system, was the target of the "sophisticated" cyber attack exploiting a previously unknown vulnerability.
When first alerted to exploits against the system last December, Singtel applied a series of patches provided by Accellion to plug the vulnerability, the last patch being 27 December.
On 23 January this year, Accellion advised that a new vulnerability had emerged that rendered patches previously applied in December ineffective. Singtel said it immediately took the system offline.
On 30 January, Singtel’s attempt to patch the new vulnerability in the FTA system triggered an anomaly alert, after which Accellion informed Singtel that the system could have been breached.
Singtel’s investigations later confirmed the breach and identified 20 January as the date the breach occurred. The FTA system has been kept offline since 23 January, the company said. Singtel said it established that files were taken as a result of the breach on 9 February, two days before it informed customers of the breach.
The Reserve Bank of New Zealand (RBNZ), the Australian Securities and Investments Commission (ASIC) and Singapore telco giant Singtel are among those to have recently fallen victim to attacks using the vendor’s legacy FTA software as a vector.