MyRepublic customer data compromised in third-party security breach

Singapore internet services provider says it was informed by "an unknown external party" of the security breach, which had occurred on a third-party data storage platform and affected 79,388 local mobile subscribers.

MyRepublic says almost 80,000 of its mobile subscribers in Singapore have had their personal data compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of national identity cards and residential addresses of foreign residents. 

The "unauthorised data access" incident was uncovered on August 29 and the relevant authorities had been informed of the breach, said MyRepublic in a statement Friday. It pointed to industry regulator Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission, which oversees the country's Personal Data Protection Act (PDPA). 

MyRepublic said personal data of its mobile customers were stored on the affected system, adding that "unauthorised access to the data storage facility" since had been plugged. The incident had been "contained", it said.

Asked how long it had used the third party's data storage service and whether it was a cloud-based service, MyRepublic told ZDNet it was unable to share these details, citing confidentiality. It also declined to say "for security reasons" if it was the only customer affected by the breach at the data storage facility. 

Constant review of third-party security critical as ransomware threat climbs

Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers' security posture before establishing a partnership.

Read More

Asked when it last assessed security measures implemented by the data storage vendor, MyRepublic did not specify a date, saying only that it "regularly" reviewed such measures for both its internal and external systems, including that of the third-party vendor implicated in the breach. 

MyRepublic also declined to reveal further details about how the data breach was discovered, saying only that it was informed of the incident by "an unknown external party" on August 29. It reiterated that the data storage facility since had been secured. 

It said it was contacting all mobile customers via email about the breach, but did not confirm when this would be completed. 

In its statement, MyRepublic noted that an incident response team had been activated, which included external advisers from KPMG in Singapore, and would work with the broadband operator's internal IT and network personnel to resolve the incident. 

Its own investigations determined that the unauthorised data access affected 79,388 of its mobile subscribers in Singapore. 

Apart from details of local customers' national identity cards, information from documents required to verify foreign workers' residential address, such as copies of utility bills, also were affected. The names and mobile numbers of customers porting an existing mobile service also were compromised. 

MyRepublic said there were no indications other personal data, such as payment details, were affected. It added that none of its systems were compromised.

It said affected customers would be offered a complimentary credit monitoring service, provided by Credit Bureau Singapore, which would monitor customers' credit report and send out alerts of suspicious activities. 

MyRepublic CEO Malcolm Rodrigues said in the statement: "My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue.

"While there is no evidence that any personal data has been misused, as a precautionary measure, we are contacting customers who may be affected to keep them informed and provide them with any support necessary," Rodrigues said. "We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again."

In a recent interview with ZDNet, MyRepublic said it was looking for new revenue in Singapore's enterprise space, and planned to ramp up its service offerings with particular focus on cybersecurity, where it might look to make acquisitions to plug product gaps. 

RELATED COVERAGE