- The Singaporean communications service provider ‘MyRepublic’, has suffered a data breach through a third party.
- Their contractor was storing the PII of some of the firm’s customers, so the consequences of the breach are severe.
- The accessed data includes names, mobile numbers, utility bills, and even national ID cards.
‘MyRepublic’ Singapore has published an announcement to inform its customers of a cybersecurity incident that affects them. The incident took place on 29 August 2021, and it concerns the unauthorized access of data on a third-party storage platform that is used by MyRepublic to store the personal details of its clients. Although the unauthorized access was detected almost immediately and the problem was contained, the actor managed to access 79,388 mobile subscribers based in Singapore.
The data that has been compromised includes the following:
- For affected Singapore citizens, permanent residents and employment and dependent pass holders — scanned copies of both sides of NRICs.
- For affected foreigners — proof of residential address documents e.g. scanned copies of a utility bill.
- For affected customers porting an existing mobile service — name and mobile number.
No account or payment details have been exposed, and no systems or networks belonging to ‘MyRepublic’ were directly compromised by hackers. Still, the firm assumes responsibility as it should and is covering the cost of a credit monitoring service for all customers who have been affected by the data breach.
It is important to point out that there’s no evidence that any personal data has been misused, but it’s obviously too early to tell if anything has been exfiltrated or not. If you are a customer of MyRepublic Singapore, you should remain vigilant against incoming emails and SMS, as phishing, scamming, and social engineering is now a dire possibility. Because utility bills and national ID cards were accessed too, crooks opening accounts using other people’s identities and proof of residence is another dreadful but entirely possible scenario.
Lookout’s Senior Manager, Hank Schless, told us:
This incident highlights the importance of vetting third parties who will have access to your customers’ data. An extensive security review should no longer be optional when you’re looking to onboard a solution that could have access to this sensitive data. In addition, you should constantly review the security posture of that service to ensure they’re staying up to date. You should also look for indicators of how seriously the third party takes security. There are certain tell-tale signs, such as having modern data loss prevention (DLP) capabilities for both cloud-based and on-premise resources, that can help you gauge confidence in the vendor’s ability to protect your data.