The company carried out investigations and analysis with the help of cyber security experts, revealing which files on the Accellion FTA system were accessed illegally during the breach and which stakeholders have been impacted.
“While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves,” said Yuen Kuan Moon (pictured), Group CEO, Singtel.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge. We are doing our level best to keep our customers supported in mitigating the potential risks.”
The findings show that the data taken includes consumer information containing different combinations of personally identifiable information. In addition, 23 enterprises were affected including suppliers, partners and corporate customers.
Additionally, a large part of the leaked data includes Singtel’s internal information that is non-sensitive such as data logs, test data, reports and emails.
In response to these findings Singtel has begun notifying all affected individuals and enterprises to help them manage the possible risks and take appropriate action.
As part of this support, Singtel is also appointing a global data and information service provider, to provide identity monitoring services at no cost to affected customers to help them manage potential risks. This service monitors public websites and non-public places on the internet and notifies users of any unusual activity related to their personal information.
“I’d like to thank our customers and partners for their patience and understanding as we continue our cyber and criminal investigations to understand the full extent of this breach,” added Kuan Moon.
“I want to emphasise that our core operations and functions remain unaffected and sound and this incident involves a standalone system provided by a third-party vendor. Information security remains our highest priority and you have my commitment that we are conducting a thorough review of our systems and processes to strengthen them.”
The data breach occurred 20 January 2021, following a series of attempts to patch to previous breach attempts in December 2020.
Exfiltrated data established to date: |
Personally Identifiable Information of approximately 129,000 customers containing NRIC and some combination of the following information: name, date of birth, mobile number, address |
Bank account details of 28 former Singtel employees |
Credit card details of 45 staff of a corporate customer with Singtel mobile lines |
Some information from 23 enterprises |