Top Cybersecurity Breaches in Singapore

Year of News Coverage of Breach

Company (Period of Breach)

No of Victims

Compromised Data

Details

2022

Carousell

(Oct 2022)

1.95 mil user accounts

Usernames, First and Last Names, Email Addresses, Phone Numbers, Country of Origin, Date of Account Creation and Number of Followers

(Found to be put up for sale on Dark Web, hacking forums for $1,000)

Investigations revealed that:

• Bug was introduced during a system migration and used by a third party to gain unauthorised access. Hackers said the database was obtained a vulnerability that granted them partial access control of Carousell's systems

Carousell was reported to have taken the following remediation actions:

• Contacted all affected users and advised them to look for any phishing emails or SMSes and not to respond to any communication that asks for informations such as passwords

Source: https://www.asiaone.com/singapore/carousell-data-breach-info-26-million-accounts-allegedly-sold-dark-web-hacking-forums

2022

Starbucks (Sep 2022)

330,000

customers

Following the incident, Starbucks was reported to have taken the following actions:

• Emailed affected customers notifying of breach

• Taken reasonable steps to protect the customer's information

Investigations are believed to be ongoing

Source: https://www.straitstimes.com/singapore/330000-starbucks-customers-data-leaked-sold-online-for-3500

2022

GeniusU

(Nov 2020)

1.2 mil customers

First and last names, e-mail addresses, location information and last sign-in IP addresses

Investigations revealed that:

• The Login Credentials for a GeniusU database containing the personal data of its users were stored in code hosted on GitHub, a software development platform

• Hackers gained access to a GeniusU developer's GitHub account, found the login credentials of the GeniusU database and stole the personal data of its users

• The breach is likely caused by a compromised account belonging to one of its developers who either used a weak GitHub password or had his password compromised

• Users' personal data should not be stored in testing environments as they are known to be less secure than production environments or live systems that platforms operate in

Following the incident, GeniusU was fined $35,000. It was reported to have taken the following remediation actions:

• Refreshed the login credentials to the breached database, removed all hard-coded credentials from its code on GitHub and cleared existing login sessions

• Removed all personal data from non-production environment servers, implemented multi-factor authentication for all work-related accounts and standardised cyber-security policy and related procedures for all staff

The fine levied appeared to the lower end of the scale considering the number of users affected as the leak did not include more sensitive information such as financial or health data. GeniusU's voluntary admission, cooperation and swift action is also considered.

Source: https://www.straitstimes.com/tech/tech-news/edu-tech-firm-geniusu-fined-35000-for-data-leak-affecting-126m-users

2022

RedMart

(Oct 2020)

898,791 user accounts

Names, Email Addresses, Encrypted Passwords, Phone Numbers, Partial Credit Card Numbers

Investigations revealed that:

• An unidentified threat actor gained access to RedMart's AWS Cloud via a compromised staff account and exfiltrated RedMart-only legacy database that has not been updated or linked to Lazada's database after RedMart was acquired by Lazada in 2016.

Following the incident, RedMart was fined $72,000. It was reported to have taken the following remediation actions:

• Deleted compromised user accounts

• Forced logouts, password reset for accounts of all affected customers and sellers

• Implemented database authentication for all databases containing personal data

• Restricting access to sensitive database

Source: https://www.channelnewsasia.com/singapore/redmart-fined-s72000-data-breach-lazada-3159496

2021

MyRepublic

(Aug 2021)

79,388 customers

Scanned copies of both sides of NRICs, workpasses & proof of residential addresses

Investigations revealed that:

• The access key used to access the AWS Cloud bucket that stored the personal data of MyRepublic's customers was compromised

Following the incident, MyRepublic was fined $60,000. It was reported to have taken the following actions:

• Replaced its AWS Cloud bucket access key, removed environment configuration files that exposed the access key and restricted access to buckets to specific IP addresses

• Engaged in a month of dark web monitoring to verify whether the stolen data was published

• Contacted affected customers to provide support and recommended actions to minimise the risk of identity fraud and social engineering attacks

• Offered affected customers six months of complimentary credit monitoring service through Credit Bureau Singapore to allow them to monitor their credit report and alert them of any suspicious activity

Source: https://www.channelnewsasia.com/singapore/myrepublic-data-breach-cyber-attack-fine-60000-2943016

2021

StarHub

(Jul 2021)

57,191 customers

Identity Card Numbers, Mobile Numbers and Email Addresses

Investigations revealed that:

• StarHub's cyber security team discovered the data breach (llegally uploaded file containing its customers personal data on a third-party data dump website) when it was performing online surveillance

StarHub was reported to have taken the following remediation actions:

• Progressively notifying affected customers via e-mail over the next 14 days

• Offered affected customers six months of complimentary credit monitoring service through Credit Bureau Singapore to safeguard affected customers' identity and personal information

• Activated an incident management team to assess and contain the situation

• Engaged a team of leading digital forensic and cyber-security experts to launch an investigation

• Attempted to have the document removed from the data dump site

• Took immediate and appropriate actions to review existing security measures to protect core infrastructure and systems

Source: https://www.straitstimes.com/tech/more-than-57000-starhub-customers-personal-data-leaked

2021

SingTel

(Dec 2020)

129,000 customers, 23 enterprises (including Suppliers, Partners, Corporate Customers)

NRIC Numbers, Name, Date of Birth, Phone Numbers or Address

Test Data, Reports, Data Logs and Emails

Credit Card Details of

45 staff of a SingTel mobile line corporate card customer

Bank Account Details of

28 former employees

(A ransom of $250,000 worth of bitcoin was requested by the Clop group hackers)

Investigations revealed that:

• Accellion File Transfer Appliance (FTA), a standalone, third-party file sharing system used by SingTel to share information with internal and external stakeholders was the target of a sophisicated cyber attack exploiting a previously unknown vulnerability

• Accellion was quoted to have alerted and provided patches to SingTel after discovering the new vulnerability and potential breach. The system was immediately taken offline but it was established that files were taken as a result of the breach and data of the victims were leaked

SingTel was reported to have taken the following remediation actions:

• Conducted an impact assessment with urgency to ascertain nature and extent of data that has been potentially accessed

• Reached out to all affected individual and corporate customers via mail or post about what personal details were accessed and how they can best manage the risks involved

• Appointed a global data and information service firm to provide identity monitoring services for free to affected customers. The service monitors public and non-public spaces on the internet and notifies users of any unusual activity

Source: https://www.businesstimes.com.sg/companies-markets/singtel-says-standalone-third-party-file-sharing-system-hacked

2021

RedDoorz

(Sep 2020)

5.9 mil customers

Names, Contact Numbers, Email Address, Date of Birth, Hashed passwords and their Booking Information

(Found to be put up for sale on a hacker forum)

Investigations revealed that:

• Hackers accessed RedDoorz's database hosted on AWS Cloud after obtaining its access key. The access key was embedded in an Android application package (APK) created by Commeasure, RedDoorz's site operator in 2015 to install the RedDoorz app.

• The problem arose when Commeasure access key was mislabeled as a"test key" and ignored AWS' advice to not embed access keys directly into code

Following the incident, Commeasure was fined $74,000. It was reported to have taken the following actions:

• Separated the accounts for production and staging environments for all AWS services, only allowed white-listed Internet Protocol addresses to access its live databases

• Having two-factor authentication in place for all the tools and accounts used by developers

• Informed affected customers of the breach and advised them to change their RedDoorz account passwords as a precaution and avoid using the same passwords on other online platforms

Source: https://www.straitstimes.com/tech/tech-news/59m-customers-of-reddoorz-hotel-booking-site-leaked-in-spores-largest-data-breach

2020

Grab

(Aug 2019)

21,541 drivers / passengers

Profile Pictures, Passenger Names, Vehicle Plate Numbers and Wallet Balances comprising the journal history of ride payments. Other data that was affected included GrabHitch booking details such as Addresses, Pick-up and Drop-off times, Driver Details such as Total Rides, and Vehicle Model and Make

Investigations revealed that:

• Grab rolled out an update to address a potential vulnerability in the app

• An application programming interface (API) endpoint allowed GrabHitch drivers to access their data, and the variable "userID" portion in the URL directed data requests to the correct drivers' accounts

• However the "userID" portion could be manipulated to allow access to other GrabHitch drivers' data

Following the incident, Grab was fined $10,000. It was reported to have taken the following actions:

• Rolled back the app to the version prior to the update within 40 minutes, and notified 5,651 GrabHitch drivers of the incident the same day

• Reviewed its testing and governance procedures, and did an architecture review of its legacy applications and relevant codes which had not been reviewed for an extended period of time

Source: https://www.businesstimes.com.sg/startups-tech/startups/privacy-watchdog-says-it-fined-grab-s10000-potentially-exposing-individuals

2019

HMI Institute of Health Sciences

(Dec 2019)

120,000 students

Full Names and NRIC Numbers of about

98,000 MINDEF/SAF Personnel

Full Names, NRIC Numbers, Contact Numbers, Email Addresses, Dates of Birth and Residential Addresses of other

HMI Institute customers.

Investigations revealed that:

• HMI Institute had discovered a file server to be encrypted by ransomware which denied access to various files including those that contained personal data of 110,080 people who participated in HMI Institute's training courses for Mindef and SAF personnel and 253 employees

Following the incident, HMI Institute of Health Sciences was fined $35,000. It was reported to have taken the following actions:

• Hired a cybersecurity company to investigate the incident, which found no evidence that the data was extracted from the server

• Affected server taken offline and isolated from the Internet and Internal network

• Notified all affected individuals

• Implemented additional IT security enhancement initiatives including the establishment of a secured wide-area network and an enhanced cybersecurity protection suite to prevent the incident from happening again

Source:

https://hmi-ihs.com/hmi-institute-alerts-students-and-applicants-to-data-incident/

2019

ST Logistics

(Dec 2019)

2,400

Mindef & SAF Personnel

Full Names and NRIC Numbers and a combination of Contact Numbers, Email Addresses or Residential Addresses

Investigations revealed that:

• Some of its employees fell for a phishing attack involving malicious malware sent to their email accounts

• ST Logistics failed to conduct periodic security reviews to detect vulnerabilities in its IT systems where employees' laptops were not properly configured to receive updates of the installed anti-virus software. Affected employees also do not have an advanced endpoint protection software to detect newly released forms of malware on their laptops

Following the incident, ST Logistics was fined $8,000. It was reported to have taken the following actions:

• Notified all affected individuals through text messages.

Source: https://www.todayonline.com/singapore/2-firms-fined-s43000-total-over-personal-data-breaches-affecting-mindef-saf-personnel

2019

Integrated Health Information System (IHiS)

(2018)

1.5 mil SingHealth patients

160,000 records of Outpatient Dispensesd Medicines

Names, NRIC Numbers, Addresses, Gender, Race and Date of Birth

(Information of then PM Lee Hsien Loong was specifically targeted)

Investigations revealed that:

• Perpetrators gained privileged access to the IT network by infecting/compromising a front-end workstation, and obtained login credentials to assess the database, while hiding their digital footprints

• The attack was attributed to sophisticated state-linked actors who wrote customised malware to circumvent SingHealth's antivirus and security tools. The skilled threat actor bears the characteristic of an Advanced Persistent Threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months

• SingHealth's Information Security Officer is said to be unfamiliar with the incident response process, and has failed to take further steps to investigate and understand reports on suspicious activities

Following the incident, IHIS was fined $750,000 and SingHealth was fined $250,000.

A Committee of Inquiry was convened to investigate and report the cause of attack as well as identify measures to prevent similar attacks. 16 recommendations were made to boost cybersecurity, separated into priority and additional recommendations. More details of the breach are up at: https://en.wikipedia.org/wiki/2018_SingHealth_data_breach

IHIS/SingHealth was reported to have taken the following remediation actions:

• Made changes to enhance their cyber-security governance structures and improve management oversight of critical systems

• Taken steps to work with IHiS to comprehensively upgrade their cyber-defence systems and processes more effectively guard against cyber-security risks, as well as to respond in a timely and robust manner to any intrusion

Sources:

https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach

https://en.wikipedia.org/wiki/2018_SingHealth_data_breach