Year of News Coverage of Breach
Company (Period of Breach) No of Victims | | |
2022
Carousell (Oct 2022)
1.95 mil user accounts | Usernames, First and Last Names, Email Addresses, Phone Numbers, Country of Origin, Date of Account Creation and Number of Followers (Found to be put up for sale on Dark Web, hacking forums for $1,000) | |
2022
Starbucks (Sep 2022)
330,000 customers |
Names, Residential and Email Addresses (Found to be put up for sale on an online forum for $3,500) | |
2022
GeniusU (Nov 2020)
1.2 mil customers | First and last names, e-mail addresses, location information and last sign-in IP addresses | Investigations revealed that: The Login Credentials for a GeniusU database containing the personal data of its users were stored in code hosted on GitHub, a software development platform Hackers gained access to a GeniusU developer's GitHub account, found the login credentials of the GeniusU database and stole the personal data of its users The breach is likely caused by a compromised account belonging to one of its developers who either used a weak GitHub password or had his password compromised Users' personal data should not be stored in testing environments as they are known to be less secure than production environments or live systems that platforms operate in
Following the incident, GeniusU was fined $35,000. It was reported to have taken the following remediation actions: Refreshed the login credentials to the breached database, removed all hard-coded credentials from its code on GitHub and cleared existing login sessions Removed all personal data from non-production environment servers, implemented multi-factor authentication for all work-related accounts and standardised cyber-security policy and related procedures for all staff
The fine levied appeared to the lower end of the scale considering the number of users affected as the leak did not include more sensitive information such as financial or health data. GeniusU's voluntary admission, cooperation and swift action is also considered.
Source: https://www.straitstimes.com/tech/tech-news/edu-tech-firm-geniusu-fined-35000-for-data-leak-affecting-126m-users |
2022
RedMart (Oct 2020)
898,791 user accounts | Names, Email Addresses, Encrypted Passwords, Phone Numbers, Partial Credit Card Numbers | Investigations revealed that: Following the incident, RedMart was fined $72,000. It was reported to have taken the following remediation actions: Deleted compromised user accounts Forced logouts, password reset for accounts of all affected customers and sellers Implemented database authentication for all databases containing personal data Restricting access to sensitive database
Source: https://www.channelnewsasia.com/singapore/redmart-fined-s72000-data-breach-lazada-3159496 |
2021
MyRepublic (Aug 2021)
79,388 customers | Scanned copies of both sides of NRICs, workpasses & proof of residential addresses | Investigations revealed that: Following the incident, MyRepublic was fined $60,000. It was reported to have taken the following actions: Replaced its AWS Cloud bucket access key, removed environment configuration files that exposed the access key and restricted access to buckets to specific IP addresses Engaged in a month of dark web monitoring to verify whether the stolen data was published Contacted affected customers to provide support and recommended actions to minimise the risk of identity fraud and social engineering attacks Offered affected customers six months of complimentary credit monitoring service through Credit Bureau Singapore to allow them to monitor their credit report and alert them of any suspicious activity
Source: https://www.channelnewsasia.com/singapore/myrepublic-data-breach-cyber-attack-fine-60000-2943016 |
2021
StarHub (Jul 2021)
57,191 customers | Identity Card Numbers, Mobile Numbers and Email Addresses | Investigations revealed that: StarHub was reported to have taken the following remediation actions: Progressively notifying affected customers via e-mail over the next 14 days Offered affected customers six months of complimentary credit monitoring service through Credit Bureau Singapore to safeguard affected customers' identity and personal information Activated an incident management team to assess and contain the situation Engaged a team of leading digital forensic and cyber-security experts to launch an investigation Attempted to have the document removed from the data dump site Took immediate and appropriate actions to review existing security measures to protect core infrastructure and systems
Source: https://www.straitstimes.com/tech/more-than-57000-starhub-customers-personal-data-leaked |
2021
SingTel (Dec 2020)
129,000 customers, 23 enterprises (including Suppliers, Partners, Corporate Customers) | NRIC Numbers, Name, Date of Birth, Phone Numbers or Address
Test Data, Reports, Data Logs and Emails
Credit Card Details of 45 staff of a SingTel mobile line corporate card customer
Bank Account Details of 28 former employees (A ransom of $250,000 worth of bitcoin was requested by the Clop group hackers) | Investigations revealed that: Accellion File Transfer Appliance (FTA), a standalone, third-party file sharing system used by SingTel to share information with internal and external stakeholders was the target of a sophisicated cyber attack exploiting a previously unknown vulnerability Accellion was quoted to have alerted and provided patches to SingTel after discovering the new vulnerability and potential breach. The system was immediately taken offline but it was established that files were taken as a result of the breach and data of the victims were leaked
SingTel was reported to have taken the following remediation actions: Conducted an impact assessment with urgency to ascertain nature and extent of data that has been potentially accessed Reached out to all affected individual and corporate customers via mail or post about what personal details were accessed and how they can best manage the risks involved Appointed a global data and information service firm to provide identity monitoring services for free to affected customers. The service monitors public and non-public spaces on the internet and notifies users of any unusual activity
Source: https://www.businesstimes.com.sg/companies-markets/singtel-says-standalone-third-party-file-sharing-system-hacked |
2021
RedDoorz (Sep 2020)
5.9 mil customers | Names, Contact Numbers, Email Address, Date of Birth, Hashed passwords and their Booking Information (Found to be put up for sale on a hacker forum) | Investigations revealed that: Hackers accessed RedDoorz's database hosted on AWS Cloud after obtaining its access key. The access key was embedded in an Android application package (APK) created by Commeasure, RedDoorz's site operator in 2015 to install the RedDoorz app. The problem arose when Commeasure access key was mislabeled as a"test key" and ignored AWS' advice to not embed access keys directly into code
Following the incident, Commeasure was fined $74,000. It was reported to have taken the following actions: Separated the accounts for production and staging environments for all AWS services, only allowed white-listed Internet Protocol addresses to access its live databases Having two-factor authentication in place for all the tools and accounts used by developers Informed affected customers of the breach and advised them to change their RedDoorz account passwords as a precaution and avoid using the same passwords on other online platforms
Source: https://www.straitstimes.com/tech/tech-news/59m-customers-of-reddoorz-hotel-booking-site-leaked-in-spores-largest-data-breach |
2020
Grab (Aug 2019)
21,541 drivers / passengers | Profile Pictures, Passenger Names, Vehicle Plate Numbers and Wallet Balances comprising the journal history of ride payments. Other data that was affected included GrabHitch booking details such as Addresses, Pick-up and Drop-off times, Driver Details such as Total Rides, and Vehicle Model and Make | Investigations revealed that: Grab rolled out an update to address a potential vulnerability in the app An application programming interface (API) endpoint allowed GrabHitch drivers to access their data, and the variable "userID" portion in the URL directed data requests to the correct drivers' accounts However the "userID" portion could be manipulated to allow access to other GrabHitch drivers' data
Following the incident, Grab was fined $10,000. It was reported to have taken the following actions: Rolled back the app to the version prior to the update within 40 minutes, and notified 5,651 GrabHitch drivers of the incident the same day Reviewed its testing and governance procedures, and did an architecture review of its legacy applications and relevant codes which had not been reviewed for an extended period of time
Source: https://www.businesstimes.com.sg/startups-tech/startups/privacy-watchdog-says-it-fined-grab-s10000-potentially-exposing-individuals |
2019
HMI Institute of Health Sciences (Dec 2019)
120,000 students | Full Names and NRIC Numbers of about 98,000 MINDEF/SAF Personnel
Full Names, NRIC Numbers, Contact Numbers, Email Addresses, Dates of Birth and Residential Addresses of other HMI Institute customers. | Investigations revealed that: Following the incident, HMI Institute of Health Sciences was fined $35,000. It was reported to have taken the following actions: Hired a cybersecurity company to investigate the incident, which found no evidence that the data was extracted from the server Affected server taken offline and isolated from the Internet and Internal network Notified all affected individuals Implemented additional IT security enhancement initiatives including the establishment of a secured wide-area network and an enhanced cybersecurity protection suite to prevent the incident from happening again
Source: https://hmi-ihs.com/hmi-institute-alerts-students-and-applicants-to-data-incident/ |
2019
ST Logistics (Dec 2019)
2,400 Mindef & SAF Personnel | Full Names and NRIC Numbers and a combination of Contact Numbers, Email Addresses or Residential Addresses | Investigations revealed that: Some of its employees fell for a phishing attack involving malicious malware sent to their email accounts ST Logistics failed to conduct periodic security reviews to detect vulnerabilities in its IT systems where employees' laptops were not properly configured to receive updates of the installed anti-virus software. Affected employees also do not have an advanced endpoint protection software to detect newly released forms of malware on their laptops
Following the incident, ST Logistics was fined $8,000. It was reported to have taken the following actions: Source: https://www.todayonline.com/singapore/2-firms-fined-s43000-total-over-personal-data-breaches-affecting-mindef-saf-personnel |
2019
Integrated Health Information System (IHiS) (2018)
1.5 mil SingHealth patients
160,000 records of Outpatient Dispensesd Medicines | Names, NRIC Numbers, Addresses, Gender, Race and Date of Birth (Information of then PM Lee Hsien Loong was specifically targeted) | Investigations revealed that: Perpetrators gained privileged access to the IT network by infecting/compromising a front-end workstation, and obtained login credentials to assess the database, while hiding their digital footprints The attack was attributed to sophisticated state-linked actors who wrote customised malware to circumvent SingHealth's antivirus and security tools. The skilled threat actor bears the characteristic of an Advanced Persistent Threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months SingHealth's Information Security Officer is said to be unfamiliar with the incident response process, and has failed to take further steps to investigate and understand reports on suspicious activities
Following the incident, IHIS was fined $750,000 and SingHealth was fined $250,000.
A Committee of Inquiry was convened to investigate and report the cause of attack as well as identify measures to prevent similar attacks. 16 recommendations were made to boost cybersecurity, separated into priority and additional recommendations. More details of the breach are up at: https://en.wikipedia.org/wiki/2018_SingHealth_data_breach
IHIS/SingHealth was reported to have taken the following remediation actions: Made changes to enhance their cyber-security governance structures and improve management oversight of critical systems Taken steps to work with IHiS to comprehensively upgrade their cyber-defence systems and processes more effectively guard against cyber-security risks, as well as to respond in a timely and robust manner to any intrusion
Sources: https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach https://en.wikipedia.org/wiki/2018_SingHealth_data_breach |
