Fullerton Health vendor's server hacked; personal details of customers sold online

The hackers claimed the data contained the details of some 400,000 people. PHOTO: REUTERS

SINGAPORE - Personal details of Fullerton Health customers were stolen by hackers and hawked online, after a vendor of the private healthcare group suffered a breach earlier this month.

The data was put up for sale on hacking forums from Oct 11, and could be bought for US$600 (S$810) in Bitcoin. However, checks by The Straits Times showed that the hackers took down the posts on the data sale last Friday (Oct 22).

The hackers claimed they managed to steal the data of some 400,000 people, including the insurance policy details of Singaporeans.

A sample of the data uploaded by the unidentified hackers included customer names and identity card numbers, as well as information about bank accounts, employers and medical history.

It also had the personal details of the customers' children.

A sample document shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines.

The breach was of a server used by Agape Connecting People, a social enterprise that provides contact centre services.

Agape was engaged as a vendor to handle bookings by Fullerton Health customers.

The medical service provider discovered the breach shortly before informing Agape on Oct 19.

Both have made police reports, and the Personal Data Protection Commission has been informed. Investigations are ongoing.

Responding to queries from ST, Fullerton Health confirmed that its own networks were not compromised, and it is still trying to establish the exact number and identities of those affected.

Mr Ho Kuen Loon, group chief executive officer of Fullerton Health, said there is no disruption to its services resulting from the breach.

"We take this matter very seriously as confidentiality of our customers' personal data is of utmost importance to us," he added.

"We will be reaching out to affected customers whose personal data may have been affected at the earliest possible time."

A sample document shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines. PHOTO: SCREENSHOT FROM "HACKING FORUM"

Fullerton Health, which specialises in designing customised medical services for corporate and insurer clients, said the breach involved only data of patients from its Singapore operations.

It has engaged cyber-security experts to work with Agape to prevent such an incident from happening again.

On Monday, Agape said its system was isolated and suspended immediately once the breach was discovered, and that no credit card or password information was exposed.

"We are in the process of confirming that no other clients of Agape Connecting People were affected," it added. "We regret this incident has caused inconvenience to our client and its customers."

Checks by ST found that the hackers specialise in the pilfering and sale of data from the e-commerce and healthcare sectors.

They continue to hawk data from numerous organisations in many countries.

It is not known if they had any incentive to suddenly stop the sale of the Fullerton Health data.

Fullerton Health is one of the private healthcare providers involved in Singapore's national vaccination programme.

ST understands that the stolen data is not related to the programme.

Join ST's WhatsApp Channel and get the latest news and must-reads.