Skip to main content

Advertisement

Advertisement

647 StanChart clients’ bank statements stolen

SINGAPORE — Bank statements of hundreds of Standard Chartered Bank’s premium clients were recently found to have been stolen from a server of a printing company — several months after the statements had been printed and sent out.

SINGAPORE — Bank statements of hundreds of Standard Chartered Bank’s premium clients were recently found to have been stolen from a server of a printing company — several months after the statements had been printed and sent out.

The unauthorised access of the information was discovered only after files containing data on the StanChart private banking clients were found in a laptop seized from James Raj Arokiasamy, who is facing charges of hacking into Ang Mo Kio Town Council’s website under the moniker The Messiah.

In a press statement yesterday, StanChart said the police has notified it of the theft of 647 of its Private Bank clients’ February bank statements. Nevertheless, it has not found any unauthorised transactions resulting from the incident.

StanChart CEO Ray Ferguson said in the statement: “The confidentiality and privacy of our clients are of paramount importance to us, and we take this incident very seriously. Customer data protection is our responsibility and we sincerely apologise to all our customers and specifically our Private Bank clients who have been affected.”

The police confirmed that the bank had lodged a report on Monday. Based on the bank’s investigations so far, the theft did not occur through its information technology and data security systems but through a server of a third-party service provider, Fuji Xerox, which StanChart engaged to print bank statements for its Private Bank clients.

Fuji Xerox Singapore CEO Bert Wong said his company deeply regretted the incident. “This is the first time in Fuji Xerox Singapore’s history that such an incident has occurred,” he said. He added that there was “unauthorised access by a third party” to a server which was dedicated to StanChart in a standalone printing facility. The company has taken “all appropriate action to protect the integrity” of its server systems. A forensic team is also conducting a thorough review.

Citing police investigations, StanChart and Fuji Xerox said they were unable to provide further information.

StanChart said it is contacting the affected clients, who form a “small portion of the total number” of customers using its private banking services. Wholesale banking clients, as well as customers from the small and medium enterprises and retail segments were not affected, the lender said.

It is not clear whether the theft was only of the 647 bank statements. StanChart reiterated that Fuji Xerox was engaged to print statements only for its private banking customers, who have a minimum of US$2 million (S$2.5 million) with the bank. Responding to media queries, Fuji Xerox Singapore Associate Director (Global Services) Paul Han confirmed that the company had conducted checks and found that none of the data from its other customers was at risk.

DATA THEFT ‘AN ISOLATED CASE’

The Monetary Authority of Singapore (MAS) described the incident as “an isolated case”. Nevertheless, it underscored the need for heightened vigilance in financial institutions, including close management of risks pertaining to service providers, the MAS said.

“Globally, financial institutions have been facing an increasing number and variety of cyber threats,” the authority added. “The MAS takes a serious view of such threats and has stringent requirements in place for financial institutions to protect the security of their IT systens and confidentiality of their client data.”

For example, regular vulnerability assessments and external audits are conducted. “The requirements apply regardless of whether such client data are processed in-house or at a third-party service provider,” the MAS said.

Since the incident was uncovered, the MAS has reminded all financial institutions to heighten vigilance to safeguard IT systems and customer information, including controls at third-party service providers. It is also paying “special supervisory attention” to financial institutions’ compliance with its requirement for IT outsourcing.

The authority will review StanChart’s investigation report and consider if regulatory action is warranted against the bank — which TODAY understands could involve directing the bank to improve its systems or possibly financial penalties.

TODAY understands that just last week, the MAS had sent a circular to financial institutions, reminding them to be vigilant on IT security.

It is understood that the authority is in the midst of establishing the list of clients who engage Fuji Xerox’s services and checking whether government agencies are among them. At least one non-bank financial institution is known to also use the company’s services.

When contacted, other banks declined comment on the incident as well as the precautions they take to safeguard client data.

IT security expert Anthony Lim noted that while encrypting banks’ client data was not foolproof, hackers tend to stay away from encrypted data as it would be difficult for them to know what information they are stealing. Mr Lim, who is a member of Application Security Advisory Board (ISC2), said it is a bank’s responsibility to ensure its service providers provide the same level of IT security as it does.

He added that for third-party printing companies, data should be deleted after they have been printed.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.