AXA Insurance has revealed it suffered a cybersecurity incident that compromised personal data of 5,400 customers in Singapore.
The breach affected users of its health portal including past customers, said its data protection officer, Eric Lelyon, in an e-mail Thursday to affected customers. No other alerts or notices were posted on its website.
Lelyon said the breach "exposed" the customer's e-mail address, date of birth, and mobile number, which was used to transmit one-time passwords (OTPs) when users transacted on the portal.
According to the portal, the OTPs were required for users to log into the site.
Lelyon said no other personal data was compromised, including credit card details, identification number, health status, and next-of-kin information. In his note, he said affected customers would not need to take any specific action, since the breach was "not likely to, on its own, expose you to identity theft".
Lelyon, though, urged users to be mindful of potential phishing attempts that aimed to extract additional personal data.
"In the unlikely event you feel that you may have inadvertently disclosed personal data as a result of a phishing attempt in the last few months, it is possible this could be connected to this hacking incident, and if so, we urge you to file a police report," he said.
Stressing the need to reduce the time to detect and respond to a breach, Bill Taylor-Mountford, LogRhythm's Asia-Pacific Japan vice president, said: "In this instance, there was no mention how long the attackers stayed within the system, but it is worrying that customers who may be targets of phishing attacks over the last few months were warned that it may be connected to this incident.
"The attack on AXA is another clear indication that cyber attackers will go after any industries. Attackers will inadvertently find a way to get in, therefore, it is more important to kick them out before they can do real damage," Taylor-Mountford said. He advised affected customers to change the password to the targeted e-mail account.
According to Fortinet, the compromised data could be used to launch secondary attacks targeted at affected customers. Hackers, for example, could use the information to send phishing e-mail or mobile text messages to trick users into giving up their username and passwords for other sensitive accounts, such as banking and social media details. They also might lure users into installing malware to gain access into the targeted AXA customers' PCs.
Lelyon said AXA Insurance had made a police report and was working with the authorities. He added that it had "taken all remedial actions" to safeguard its health portal and prevent a recurrence.
Ironically, the company in 2014 introduced an online risk insurance service in Singapore, touted to protect consumers and businesses against cyber threats.
Earlier this year, AXA Research Fund also pledged a grant of S$1.2 million over eight years to support a research programme that aimed to develop new ways of securing and protecting data and privacy. Led by a professor from Singapore Management University's School of Information Systems, the research was expected to create security models, algorithms, and analysis techniques to mitigate cybersecurity risks.