1.2b passwords stolen; no breach reported in S’pore

SINGAPORE — There have been no reports of individuals or websites in Singapore being affected by the massive cyberattack that saw about 1.2 billion usernames and passwords stolen globally, said the Infocomm Development Authority of Singapore (IDA) yesterday. The nation’s security incident response team remains in talks with the United States authorities to identify affected parties here, the IDA added.

“So far, there have been no reports of breaches in Singapore,” said the Singapore Computer Emergency Response Team (SingCERT), an IDA unit, in a statement yesterday. “Government agencies are also on the alert to detect possible unauthorised access to government systems and data.”

The statement by the nation’s security incident response team came following reports on Tuesday that US-based Hold Security had discovered what might potentially be the largest heist of Internet credentials.

About 1.2 billion usernames and passwords and more than 500 million email addresses were stolen using vast networks of malware-infected computers, Hold Security said. The haul included confidential material from 420,000 websites, ranging from “Fortune 500 companies to very small websites”, the firm was quoted as saying.

Hold Security did not name the victims but, given the scale of the breach, it is likely users and websites in Singapore may have been affected, cybersecurity experts told TODAY.

“With 1.2 billion accounts and 420,000 websites affected, almost all Web users would be affected in some way and it would be reasonable to assume some would be in Singapore,” said Mr Bryce Boland, FireEye’s chief technology officer for Asia-Pacific.

Mr Anthony Lim, vice-chair of the Application Security Advisory Board at not-for-profit association for information security professionals ISC2, concurred. “Given the horrendously large (amount) of account information stolen, the probability of some Singapore account holders’ credentials being in there is not zero. While it is not clear if Singapore account bases were targeted, nowadays, it is possible, (given) that many Singaporeans sign up for overseas-based e-services, including Facebook ... We are not sure exactly which organisations’ account bases were stolen … but it is quite doubtful that Singapore e-services or organisations were specifically targeted.”

The attack by the Russian hackers is the latest in a string of major cybersecurity breaches reported in the past year. Last December, Eastern European hackers stole about 40 million credit-card numbers from US retail giant Target.

Closer to home, the IDA revealed in June that 1,560 SingPass accounts had been compromised. Investigations revealed that no vulnerabilities in the system had been uncovered, said Minister for Communications and Information, Dr Yaacob Ibrahim, last month, adding that the Government would implement steps to tighten security for online services.

“The big questions is, in today’s world, where there is a nearly 20-year maturity of IT/network security solutions in place … ‘Why do such things continue to happen and in such scary mammoth proportions?’ It seems quite obvious that security solutions in place are still not totally adequate despite their maturity or there is a new loophole,” said Mr Lim.

Mr Boland added: “Singapore still has a long way to go in the fight against malware-based attacks. Regulators or Internet service providers here can implement technologies to detect and block malware on behalf of consumers — a method that has proved effective in Scandinavia.”

He suggested that Web users take steps to protect themselves by using different passwords for various sites.

Gartner’s principal research analyst Anmol Singh agreed that passwords need to be rotated more diligently. “Companies and websites also need to move away from the username-and-password-based model to a more multi-factored authentication that includes, for instance, biometrics.”

The private sector must also step up its efforts to strengthen defences against cybercrime, PwC’s IT Risk and Cybersecurity leader Tan Shong Ye cautioned.

“With the introduction of the Personal Data Protection Act, organisations are now legally required to implement adequate measures to secure personal data, failing which organisations and their officers, including directors, may be liable to fines and even criminal charges,” said Mr Tan.