Singtel says it is investigating the impact of a cybersecurity breach that may have compromised customer data, after it ascertained on February 9 that “files were taken”. The attack had affected a file-sharing system developed two decades ago by a third-party vendor Accellion, which the Singapore telco had used internally and with external stakeholders.
Singtel revealed in a statement Thursday it was notified by Accellion that the file-sharing system, called FTA (File Transfer Appliance), had been breached by unidentified hackers. The telco said the tool was deployed as a standalone system and used to share information within the organisation and with external stakeholders.
All use of the system had been pulled back and relevant authorities, including Singapore’s Cyber Security Agency and local police, were notified. Singtel added that it currently was assessing the nature and impact of the breach, and the extent of data that might have been illegally accessed.
“Customer information may have been compromised,” the telco said. “Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
Adding that the incident was “isolated” since it involved a standalone third-party system, it said its “core operations” was not unaffected. In its FAQ posted online, Singtel said it was reviewing its processes and file-sharing protocols to “further enhance our information security posture”.
It noted that due to the “complexity of the investigations”, its impact assessment would take some time. It said it would contact those that might have had their data illegally downloaded.
Accellion on February 1 said its FTA system was a 20-year-old large-file transfer software nearing the end of its lifecycle. It had been the target of a “sophisticated cyberattack”, which was first made known on December 23 when Accellion informed all its customers of an attack involving the file-sharing system.
The vendor said it was “made aware of a zero-day vulnerability” in mid-December, which then was the “beginning of a concerted cyberattack” that continued into January 2021, with further exploits identified. It said it had released a fix for the initial exploit within 72 hours and continued to release patches to close each vulnerability discovered in the following weeks.
Fewer than 50 customers were affected by the incident, Accellion said, noting that it had added monitoring and alerting tools to identify anomalies associated with these attack vectors.
It said the vulnerabilities were limited to the FTA software and did not impact its enterprise content firewall product, Kiteworks, on which most of Accellion’s customers operated. Kiteworks was developed on a different code base and security architecture, the vendor said.
Patches rolled out did not effectively plug holes
ZDNet sent several questions to Singtel including when it was first notified of the breach and why it still was using a 20-year file-sharing product that was nearing the end of its lifecycle. A spokesperson did not directly address the questions, but confirmed Accellion first notified Singtel of the vulnerability on December 23 and, following which, provided a series of patches.
The telco said the first fix was deployed on December 24, while the second and find patch was applied on December 27. Singtel said no further fixes were released since.
Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the patch rolled out on December 27 was ineffective, according to Singtel. The telco then “immediately” took the FTA system offline.
A subsequent patch was provided on January 30 to plug a new vulnerability, which Singtel said had triggered an anomaly alert when efforts were made to deploy it.
“Accellion informed thereafter that our system could have been breached and this had likely occurred on January 20 January,” the Singtel spokesperson told ZDNet in an email. “We continued to keep the system offline and activated cyber and criminal investigations that confirmed the January 20 date. Given the complexity of the investigations, it was only confirmed on February 9 that files were taken.”
Commenting on the potential data breach, Acronis’ co-founder and technology president Stas Protassov noted that the information would be useful to Singtel’s competitors if leaked, since the FTA system was used mostly amongst employees and likely would touch on internal information, such as current business plans.
He further noted that the software was a 20-year-old legacy system and would pose significant security risks. “Singtel and others should consider migrating to supported modern systems,” Protassov said, adding that Singtel also could have started addressing the issue sooner since Accellion was aware of the compromise since December 23.
Accellion points out that FTA is over 20 years old – it seems this legacy system did not get as much attention from developers and security teams as it should have. Singtel now suspended the use of the system, which is good. However, Accellion says, the first signs of compromise appeared 23 December 2020, so Singtel could have started the process much earlier.
He noted that Acronis was monitoring the dark web for potential data leak from the FTA breach, but had yet to see any signs of data being dumped.