Singtel apologises for data breach of its third-party vendor that affected 129,000 customers

SINGAPORE — Singtel on Wednesday (Feb 17) apologised for a Jan 20 data breach that led to the theft of personal data belonging to around 129,000 of its customers, 23 enterprises and several former staff, and has begun notifying affected parties to take action.

Said Singtel Group chief executive officer Yuen Kuan Moon: “While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted.

“Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves.”

Among the data taken by the attackers is personally identifiable information such as NRIC details and a combination of names, dates of birth, mobile numbers and addresses. Credit card details belonging to 45 staff of a corporate customer with Singtel mobile lines were also stolen.

A large part of the leaked data includes Singtel’s internal information that is non-sensitive, such as data logs, test data, reports and emails, said the telco.

“Singtel is moving with urgency to reach out to all affected individuals and corporate customers to keep them supported on how best to manage the variable risks involved,” the statement added.

The telco will also appoint a global data and information service provider, at no cost to customers, to provide identity monitoring services that will notify users if there is any unusual activity related to their personal information.

According to Singtel, the “sophisticated attack” on its third-party file sharing vendor Accellion FTA dates back to some time last December, when Singtel was first alerted to the exploits and promptly applied a series of patches provided by Accellion.

On Jan 23, Accellion informed Singtel that a new vulnerability had emerged that rendered the previous patches ineffective, leading Singtel to take the system offline.

Then, Singtel’s attempt to patch the new vulnerability on Jan 30 triggered an “anomaly alert”. Accellion then informed Singtel that the system could have been breached, and an investigation by Singtel later confirmed that an attack had occurred on Jan 20.

Singtel said that it later established on Feb 9 that files had been stolen as a result of the breach, and first revealed the breach to the public two days later, on Feb 11.

Said Mr Yuen: “Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge. We are doing our level best to keep our customers supported in mitigating the potential risks.”

He added that Singtel’s core operations and functions remain unaffected by the breach, emphasizing that the attack occurred on a standalone system provided by Accellion.

He said: “Information security remains our highest priority and you have my commitment that we are conducting a thorough review of our systems and processes to strengthen them.”