StarHub suffers data breach, but says no system was compromised

Personal data including mobile numbers and email addresses of 57,191 customers have been found on a third-party data dump website, the Singapore telco says, adding that the leaked information appears to date back to 2007.

StarHub says personal data of its customers, including email addresses and mobile numbers, have been found on a dump site. The Singapore telco, however, insists none of its customer database or data systems has been breached. 

The data breach was discovered during a "proactive online surveillance" on July 6 by its cybersecurity team, StarHub said in a statement late-Friday unveiling the breach.

On its website informing customers of the incident, the telco said it needed "time" to investigate the incident and assess the impact before confirming the breach publicly. The relevant authorities, however, were informed of the breach. 

According to its statement to local media, StarHub said an illegally uploaded file containing the leaked data was found on a third-party data dump website. It added that the information appeared to date back to 2007. 

Singapore must return data control to users to regain public trust

Trust plays an important role in consumers' willingness to share their personal data, but trust will erode if businesses continue to be given wider access to personal data and Singaporeans do not feel empowered to safeguard their own cyber hygiene.

Read More

The file contained mobile numbers, email addresses, and identity card numbers of 57,191 customers who had subscribed to StarHub's services before 2007, it said. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business, it said.

When asked, a StarHub spokesperson would not say which of its customers were impacted or how many of these were existing customers. She also declined to reveal how often it conducted its online surveillance, citing "security considerations", saying only that the telco conducted such activities "regularly".

She would not provide details when asked if the telco had determined the cause of the breach, saying only that there currently were no indications of compromise on its existing systems. 

According to StarHub, no credit card or bank account details were breached, and there currently were "no indication" the leaked data had been "maliciously misused".

It also noted that none of the company's "information systems or customer database" was compromised. On its website, it said its investigation into the breach "verified the integrity of our network infrastructure".

The telco said an incident management team was assessing the breach and digital forensic and cybersecurity consultants were investigating the incident.

The telco said it had begun "progressively notifying" affected customers via email and was offering six months of complimentary credit monitoring services through Credit Bureau Singapore, to track if any data might be used inappropriately. The service monitors subscribers' credit report and notifies them of various predetermined activities, including when enquires are made on their credit file and if default records have been updated. 

StarHub said it expected to take two weeks to notify all affected customers. It also noted that it "attempted" to have the data file removed from the dump site, but did not say if it succeeded in doing so.  

StarHub CEO Nikhil Eapen said in the statement: "Data security and customer privacy are serious matters for StarHub, and I apologise for the concern this incident may be causing our affected customers. We will be transparent and will keep our customers updated. 

"We are actively reviewing current protection measures and controls in order to implement and accelerate long-term security improvements," Eapen said. 

StarHub just yesterday announced its second quarter earnings, saying it clocked a 7.3% year-on-year climb in revenue to SG$486.7 million ($360.26 million). 

RELATED COVERAGE