Credit card details, bank accounts & customer info leaked in Singtel vendor breach

Personally Identifiable Information of approximately 129,000 customers were accessed.

Joshua Lee| February 17, 2021, 10:08 PM

Singtel's investigation into the breach of a third-party vendor's file-sharing system (called FTA) has been completed.

The breach, which occurred in December 2020 and January 2021, was first announced earlier this month.

Here are the details of the exfiltrated data, established by Singtel so far:

  1. Personally Identifiable Information of approximately 129,000 customers containing NRIC and some combination of the following information: name, date of birth, mobile number, address

  2. Bank account details of 28 former Singtel employees

  3. Credit card details of 45 staff of a corporate customer with Singtel mobile lines

  4. Some information from 23 enterprises

Singtel has not established the identities of the parties who committed the data theft.

Singtel’s Group CEO Yuen Kuan Moon said in a statement, published on Feb. 17:

"I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves.”

Yuen added that Singtel is being "as transparent as possible and providing information that is accurate to the best of our knowledge", and supporting customers in mitigating the potential risks.

The firm said that it is reaching out to affected individuals. It has appointed a global data and information service provider to help affected customers monitor public websites and non-public places on the internet, and notifies them of any unusual activity related to their personal information.

This service has been provided at no cost to affected customers, and concerned customers can visit this link for more information.

Breach occurred on January 20

Singtel says that the third-party file-sharing system was the target of a "sophisticated cyber attack exploiting a previously unknown vulnerability".

It was notified of the exploits in December 2020, prompting Singtel to apply a series of patches to plug the vulnerability. In January this year, a new vulnerability emerged, rendering previous patches ineffective.

Singtel then took the system offline on January 23.

When its attempt to patch the new vulnerability on January 30 did not work, Singtel's vendor, Accellion, raised the possibility of a breach. Later investigations confirmed that a breach occurred on January 20.

Singtel established that files were taken on February 9, and informed the public on February 11.

Top image: Mothership file photo