Singapore banks told to tighten data verification following SingHealth breach

Monetary Authority of Singapore instructs financial institutions to tighten their customer verification processes following SingHealth's security breach, which compromised personal data of 1.5 million people.
Written by Eileen Yu, Senior Contributing Editor

Banks in Singapore have been told to tighten their customer data verification processes following the recent SingHealth security breach, which compromised personal data of 1.5 million people.

The Monetary Authority of Singapore (MAS) said Tuesday it sent out a notice to all financial institutions in the country, instructing them not to depend solely on the types of information that had been illegally accessed in the cyberattack to verify customers' identity. These included full name, national identification number, address, gender, race, and date of birth.

Additional information should be used for verification before banks processed any transaction for the customer, the industry regulator said. These, for example, could include one-time passwords, PIN, and biometrics.

These measures aimed to mitigate any risk that data compromised as a result of the SingHealth security breach could be used to impersonate customers and conduct unauthorised financial transactions, said MAS.

It added that financial institutions were further instructed to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.

Banks in Singapore already were required to implement two-factor authentication to identify customers at login for access to online services. An additional layer of control also had to be put in place to authorise high-risk transactions, such as opening of beneficial accounts, registration of third-party payee details, and revision of funds transfer limits.

"Financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information. MAS will engage financial institutions on their risk assessments and mitigation steps," it noted.

MAS's chief cyber security officer Tan Yeow Seng said: "Customers must also play their part. They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately."

In what is, to date, Singapore's most serious data breach, non-medical personal data of 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics between May 1, 2015, and July 4, 2018, had been found to be illegally accessed and copied. In addition, outpatient medical data of some 160,000 patients were compromised.

While the attack was detected on July 4, it was later established that data "was exfiltrated" from June 27. A police report was filed on July 12 and investigations were ongoing.

Editorial standards