12 M1 customer accounts accessed during website breach

SINGAPORE — Twelve M1 customers’ accounts were accessed in one incident when the telco’s website security was breached.

Personal information such as names and addresses were accessed but credit card and bank account details were not accessible, said M1 today (Sept 17) as it announced the preliminary findings of its investigation into a website security incident on Monday. It is in the process of contacting the customers.

“A security flaw existed in the design of an application programming interface in the customer authentication mechanism of our website. By changing data stored within a website “cookie”, this allows possible access to another customer’s personal information. A security patch was immediately developed and deployed which rectified the flaw,” said M1.

“Our independent security specialist has commenced penetration testing, post-implementation of the security patch. This will be followed by penetration testing by another independent specialist. We will also implement additional layers of protection to mask website cookies,” the telco said.

The security loophole was earlier detected by one of its customers — a computer science postgraduate student who said he was able to hack into the site and access personal data of the telco’s customers — causing the company to suspend all pre-orders for the new iPhones on Monday. M1 resumed accepting pre-orders 12 hours later and said that the loophole had been rectified. Yesterday, the Personal Data Protection Commission said it had contacted M1 and is investigating the matter.