Singtel breach compromises data of customers, former employees

Personal data of 129,000 customers, including birth dates and mobile numbers, as well as financial details of the Singapore telco's former staff and employees of a corporate customer have been leaked in a security breach involving a third-party file-sharing system.
Written by Eileen Yu, Senior Contributing Editor

Singtel has confirmed that personal details of 129,000 customers, as well as financial information of its former employees, have been compromised in a security breach that involved a third-party file-sharing system. Credit card details belonging to the staff of a corporate client and information tied to 23 enterprises, including suppliers and partners, also have been leaked in the incident. 

The announcement on Wednesday came just under a week after the Singapore telco revealed "files were taken" in an attack that affected a file-sharing system, called FTA, which was developed two decades ago by Accellion. Singtel said it had used the software internally and with external stakeholders. 

Following its investigations, the telco said compromised personal data belonging to 129,000 customers contained their identification number alongside some other data that included name, date of birth, mobile number, and physical address. 

Bank account details of 28 former Singtel staff and credit card details of 45 employees of a corporate client with Singtel mobile lines were also leaked. In addition, "some information" from 23 enterprises including suppliers, partners, and corporate clients were compromised. 

Singtel would not offer further details on what exactly this information was, citing security reasons. 

The telco did say that a large part of the leaked data compromised internal information that was non-sensitive, such as data logs, test data, reports, and email messages. 

It said it has begun notifying affected individuals and enterprises about the breach and was offering help to mitigate potential risks from the breach. This included provisions for a data service provider to provide identity monitoring services, at no additional cost to affected customers, which would be instructed on how to sign up for the service.

Singtel's group CEO Yuen Kuan Moon said: "While this data theft was committed by unknown parties, I'm very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.

"Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge," Yuen said, adding that its investigations were ongoing to ascertain the full extent of the breach. 

He noted that Singtel's core operations and functions were unaffected and it was conducting a "thorough review" of its systems and processes. 

Telco informed only recently of product's end-of-lifecycle date

ZDNet last week asked Singtel why it still was using FTA, a 20-year file-sharing product that Accellion said was nearing the end of its lifecycle, but the telco did not address the question. 

On an updated FAQ posted on its website, Singtel noted it has continued to use the software since it was "still a current product offered and supported by Accellion". The telco revealed that Accellion only announced the product's end of life on January 28 this year, effective from April 30. 

Accellion released a statement on February 1 that said its FTA system was a legacy large-file transfer software nearing the end of its lifecycle. 

Singtel said: "It was unfortunate the attack occurred while we were conducting a review to upgrade or replace the product. And despite promptly updating the vulnerability patches provided by Accellion, the patches failed."

The telco last week said Accellion's first fix was deployed on December 24, while a second patch was applied on December 27. Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the December 27 patch proved ineffective, according to Singtel. It said after finding this out, it then took the FTA system offline. 

A subsequent patch was provided on January 30 to plug a new vulnerability, which the telco said triggered an anomaly alert when efforts were made to deploy it. It was notified by Accellion that its system could have been breached on January 20 and, following its investigations, Singtel confirmed on February 9 that data had been compromised. 


Editorial standards