Bank statements for 647 of Standard Chartered Bank's wealthiest clients were stolen and found on an alleged hacker's laptop.
The bank told a hastily convened briefing last night that the February statements of these private banking clients were accessed via the server at a facility run by Fuji Xerox, which prints the documents for StanChart.
StanChart Singapore chief executive Ray Ferguson said that affected clients are being informed, but no unauthorised transactions had been found.
The dramatic revelations only came to light following the Nov 4 arrest of hacking suspect James Raj Arokiasamy, the man behind "The Messiah" pseudonym.
James Raj is in custody, accused of hacking into a town council website on Oct 28.
It is understood the bank statements, which would have detailed, highly confidential information such as the client's address and the amount of funds he held with the bank, were found on his laptop during investigations.
The police notified the Monetary Authority of Singapore (MAS) and StanChart, which began an internal inquiry that led to the bank filing a police report on Monday.
It is not clear how the documents were stolen from the server, nor how they landed on James Raj's laptop.
Mr Ferguson said yesterday that "the confidentiality and privacy of our clients are of paramount importance to us, and we take this incident very seriously".
The bank added that no wholesale banking, business or retail customers were affected.
No questions were taken at the brief session, which was held at StanChart's Marina Bay Financial Centre offices.
Fuji Xerox is also conducting a review, adding that this is the first time such an incident has occurred at its facilities here.
MAS said in a statement that it is working closely with StanChart on the incident, and will "consider if regulatory action against the bank is warranted". It said the theft is an isolated case, but urged all banks to be vigilant.
Banks here outsource a variety of functions to third-party sources, such as systems development and maintenance, or disaster recovery services.
MAS regulations say banks should monitor and review the security policies, procedures and controls of the service provider on a regular basis.
This theft comes amid a spate of hacking incidents here, and in a climate of heightened awareness of cyber threats.
In its statement, MAS said banks had been hit by various cyber threats. It added that it takes a serious view of such threats and has tough rules for financial institutions to protect the security of their data.
Asia-Pacific managing director of Cloud Security Alliance Aloysius Cheang said banks will set out standard operating procedures that they align against international best practices and with local central bank requirements.
He added that banks with processes that they may be outsourcing abroad, for example in India or somewhere else, could face higher risks of security breaches.
TOP OF THE NEWS
Data theft: MAS to review bank's report
Private banking clients voice security concerns