‘Third-party data storage platform’ behind MyRepublic breach, 80,000 customers impacted

KPMG deployed to work with internal IT and network teams to resolve incident

MyRepublic has cited unauthorised access on a “third-party data storage platform” as the primary cause of a data breach impacting 79,388 mobile subscribers based in Singapore.

The access took place on a platform used to store the personal data of mobile customers and to mitigate risk, the internet service provider has activated its cyber incident response team -- which includes a team of external advisors from KPMG -- to "work closely" with internal IT and network teams to resolve the incident.

According to a company statement, unauthorised access to the data storage facility has since been secured and the incident has been "contained".

The breach -- which took place on 29 August and was revealed to the media on 10 September -- has resulted in hackers potentially accessing identity verification documents related to customer applications for mobile services, impacting Singapore citizens, permanent residents and employment and dependent pass holders.

Exposed information includes scanned copies of both sides of National Registration Identity Cards (NRIC) housing name, date of birth and home address details, in addition to proof of residential address documents -- such as scanned copies of a utility bill -- for affected foreigners.

According to the Singapore-based provider, there is no indication that the breach affected other personal data such as account or payment information, with no systems compromised and no operational impact on company services.

“We are disappointed with what has happened, and I would like to personally apologise for any inconvenience caused,” said Malcolm Rodrigues, CEO of MyRepublic. “My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue.”

According to Rodrigues, MyRepublic has notified the Infocomm Media Development Authority and the Personal Data Protection Commission of the issue, and will continue to cooperate with those authorities going forward.

“While there is no evidence that any personal data has been misused, as a precautionary measure, we are contacting customers who may be affected to keep them informed and provide them with any support necessary,” he noted. “We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again.”

As noted by Alex Lei, senior vice president of Asia Pacific and Japan at Proofpoint, should personal information that was accessed be leaked, there could be a "marked increase" in smishing attacks, as well as identity fraud.

"We have seen text mobile scams grow during the pandemic, with cyber criminals using fraudulent branding combined with urgency and a request that a user click a malicious link," said Lei, when commenting on the incident. "Consumers trust mobile messaging and they are much more likely to read and access links contained in text than those in email."

The data breach comes weeks after MyRepublic rolled out a new suite of cyber security solutions designed in partnership with India-based global IT solutions provider Inspira Enterprise.

As reported by Channel Asia, the new suite of solutions includes cyber security consulting, incident response, data protection, vulnerability testing, managed firewall and managed endpoint.

The offering is targeted primarily at small- and medium-sized enterprises (SMEs) in Singapore, with the telco claiming that the new suite comes at a time when almost half of all reported crimes in the city-state are cyber crime related cases.

Indeed, the Cyber Security Agency of Singapore (CSA) last month flagged an increase in cyber threats, such as ransomware and online scams, during 2020.

The CSA’s latest report revealed that 89 ransomware cases were reported to the agency in 2020, representing a sharp rise of 154 per cent from the 35 cases reported in 2019. These cases affected mostly SMEs and hailed from sectors such as manufacturing, retail and healthcare.