Singtel has confirmed that personal details of 129,000 customers as well as financial information of its former employees have been compromised in a security breach that involved a third-party file-sharing system. Credit card details belonging to staff of a corporate client and information tied to 23 enterprises, including suppliers and partners, also have been leaked in the incident.
The announcement Wednesday came just under a week after the Singapore telco revealed “files were taken” in an attack that affected a file-sharing system, called FTA, which was developed two decades ago by Accellion. Singtel said it had used the software internally and with external stakeholders.
Following its investigations, the telco said compromised personal data belonging to 129,000 customers contained their identification number alongside some other data that included name, date of birth, mobile number, and physical address.
Bank account details of 28 former Singtel staff and credit card details of 45 employees of a corporate client with Singtel mobile lines also were leaked. In addition, “some information” from 23 enterprises including suppliers, partners, and corporate clients were compromised.
Singtel would not offer further details on what exactly this information was, citing security reasons.
The telco did say that a large part of the leaked data compromised internal information that was non-sensitive, such as data logs, test data, reports, and email messages.
It said it had begun notifying affected individuals and enterprises about the breach and was offering help to mitigate potential risks from the breach. This included provisions for a data service provider to provide identity monitoring services, at no additional cost to affected customers, which would be instructed on how to sign up for the service.
Singtel’s group CEO Yuen Kuan Moon said: “While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge,” Yuen said, adding that its investigations were ongoing to ascertain the full extent of the breach.
He noted that Singtel’s core operations and functions were unaffected and it was conducting a “thorough review” of its systems and processes.
Informed only recently of product’s end of lifecycle
ZDNet last week had asked Singtel why it still was using FTA, a 20-year file-sharing product that Accellion said was nearing the end of its lifecycle, but the telco then would not address the question.
On an updated FAQ posted on its website, Singtel noted that it had continued to use the software since it was “still a current product offered and supported by Accellion”. The telco revealed that Accellion only announced the product’s end of life on January 28 this year, effective from April 30.
Accellion had released a statement February 1 that said its FTA system was a legacy large-file transfer software nearing the end of its lifecycle.
Singtel said: “It was unfortunate the attack occurred while we were conducting a review to upgrade or replace the product. And despite promptly updating the vulnerability patches provided by Accellion, the patches failed.”
The telco last week said Accellion’s first fix was deployed on December 24, while a second patch was applied on December 27. Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the December 27 patch proved ineffective, according to Singtel, which said it then took the FTA system offline.
A subsequent patch was provided on January 30 to plug a new vulnerability, which the telco said triggered an anomaly alert when efforts were made to deploy it. It was notified by Accellion that its system could have been breached on January 20 and, following its investigations, Singtel confirmed on February 9 that data had been compromised.