5,400 customers hit in cyber attack on AXA's Health Portal

The AXA logo is seen at its headquarters in Melbourne on May 31, 2010.
The AXA logo is seen at its headquarters in Melbourne on May 31, 2010.PHOTO: REUTERS

Insurance firm says stolen details include mobile number, birth date and e-mail address but no financial or health data

The personal data of about 5,400 past and present customers of AXA Insurance in Singapore has been stolen in a cyber attack.

The French life insurance company e-mailed most of the affected customers yesterday about the data breach. The rest will be informed by late today.

The e-mail by its data protection officer Eric Lelyon said the attack on its Health Portal took place recently, without giving the date.

In particular, the customers' e-mail address, mobile number and date of birth were exposed.

The company said no other personal data - including name, NRIC number, address, credit card or bank details, health status, claims history or marital status - was leaked.

When contacted, AXA Singapore chief executive officer Jean Drouffe said the company takes customer privacy very seriously and apologised for the breach. He also assured customers that its Health Portal "is now secure".

He did not address questions on when the attack took place and the breach discovered, but said: "A thorough review of our IT systems is under way. No financial or health data was compromised." He added that the compromised data, by itself, will not result in identity theft.

Customers, however, are advised to be vigilant against phishing, often done via e-mail to trick victims into disclosing their credentials.

AXA has made a police report. It advised customers to do the same if they had inadvertently disclosed personal data as a result of phishing attempts in the past few months, as it could be connected to the AXA hacking incident.

Mr Gavin Chow, network and security strategist at cyber-security solutions firm Fortinet, said hackers could masquerade as AXA or any commercial entity to trick victims to reveal, for instance, their e-banking username and passwords.

This method, known as phishing, could be carried out via e-mail, SMS or WhatsApp when the hacker has the users' e-mail address and mobile number.

Hackers could also trick victims into installing malware in their computers or mobile phones, and then steal one-time passwords sent via SMS to make fraudulent transactions. "If anyone is using his birth date as password, change it now," said Mr Chow.

Singapore's privacy watchdog, the Personal Data Protection Commission, said it is investigating the breach. "We understand that AXA has addressed the vulnerability in its system," its spokesman said.

A Monetary Authority of Singapore spokesman said it has asked AXA to do a thorough review of its IT security and to fix control gaps. "MAS takes a serious view of this incident and is investigating the matter."

Singapore's Cyber Security Agency urged companies that hold customer data to prioritise cyber security and adopt proactive measures to better protect themselves against cyber attacks.

Attacks have becomerampant.

In April, hackers broke into the networks of the National University of Singapore and Nanyang Technological University, presumably to steal government-related data. Just two months earlier, the personal data of 850 national servicemen and Defence Ministry staff was stolen.

A version of this article appeared in the print edition of The Straits Times on September 08, 2017, with the headline '5,400 customers hit in cyber attack on AXA's Health Portal'. Print Edition | Subscribe