400,000 Fullerton Health Client Details Were Stolen and Sold Online
- Fullerton Health’s server vendor Agape had their servers breached and data stolen.
- Hackers stole the personal data of some 400,000 people, including data belinging to children.
- Agape said the breach was isolated and Fullerton’s network was not compromised.
The Singapore servers of a Fullerton Health services vendor were hacked in early October. Following the breach, the sensitive data of 400,000 people, as well as insurance policy details, went for sale on October 11 for $600 in Bitcoin. The data sale post was taken down on October 22, but it's not known why.
The unidentified actors have shared a sample document showcasing the data they are selling. It included customer names, ID numbers, bank accounts, employers and medical history, and data about clients' children. Another sample document had the Fullerton Health and Singapore Airlines letterheads.
Even though the actors were not identified, they seem to specialize in stealing data from e-commerce and healthcare organizations and are currently active across many nations.
On October 19, Fullerton Health informed its vendor, Agape Connecting People, of the breach. Agape officials said the breach was isolated and the compromised servers were immediately taken down upon discovery, stating that no credit card or password information was exposed. They have also informed Singapore’s Personal Data Protection Commission and are working with cyber-security experts to prevent future breaches.
Fullerton Health says the breach involved only data of patients from its Singapore operations, that its own networks were not compromised, and that the company is looking into the number of clients affected by the server breach and that. The company is involved in the national SARS-COV-2 vaccination program, but apparently the stolen data is not related.
Another Singapore company was hit recently. In August 2021, a third-party storage platform used by MyRepublic Singapore to store clients details suffered unauthorized access and the PII of almost 80,000 mobile subscribers based in Singapore were stolen.