SINGAPORE - The personal data of 5,400 customers of AXA Insurance in Singapore has been stolen due to a cyber attack.
The life insurance firm sent out an e-mail to most affected customers on Thursday (Sept 7), notifying them of the data breach. The remaining affected customers will be notified by Friday (Sept 8).
In the e-mail, AXA's data protection officer Eric Lelyon said: "We wish to inform you that because of a recent cyber attack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised."
In particular, their e-mail address, mobile number and date of birth were exposed.
The firm said that no other personal data - including name, NRIC number, address, credit card or bank details, health status, claims history or marital status - was leaked.
When contacted, AXA Singapore chief executive officer Jean Drouffe said the firm takes customer privacy very seriously and apologised for the breach. He also assured customers that the firm's Health Portal "is now secure".
He skirted questions on when the cyber attack took place and when the breach was discovered, but said: "A thorough review of our IT systems is underway. No financial or health data was compromised."
Mr Drouffe also said that the compromised data, by themselves, will not result in identity theft.
Customers are, however, advised to be vigilant against phishing, most commonly via e-mail, to trick victims into disclosing their credentials.
AXA made a police report, and advised customers to do the same if they had inadvertently disclosed personal data as a result of phishing attempts in the last few months as it could be connected to the AXA hacking incident.
The Monetary Authority of Singapore (MAS) has asked AXA to initiate a thorough review of its IT security and to remediate control gaps.
"We understand that AXA has taken steps to address the vulnerability in its Health Portal. MAS takes a serious view of this incident and is investigating the matter,” a MAS spokesman said in a statement on Thursday.
Singapore Cyber Security Agency (CSA) said the incident is a reminder that companies that collect and hold customer data are an attractive target for cyber criminals.
"Hence, companies need to make the appropriate risk assessment, prioritise cybersecurity and adopt proactive measures to better protect themselves against cyber attacks,” a spokesman said on Thursday.
Mr Gavin Chow, network and security strategist at cyber security solutions firm Fortinet, said hackers could masquerade as AXA or any commercial entity to to trick victims to reveal their e-banking username and passwords, for instance.
This method, known as phishing, can be executed via e-mail, SMS and WhatsApp - now that hackers have users' e-mail address and mobile number.
Hackers could also trick victims into installing malware into their computers or mobile phones. When phones are infected by malware, hackers can steal one-time passwords sent via SMS for making fraudulent transactions.
"If anyone is using their birth dates as passwords, change it now," said Mr Chow.
Singapore's privacy commission, the Personal Data Protection Commission, said it is investigating the breach. "We understand that AXA has addressed the vulnerability in their system," a Commission spokesman said.