Details of 70,000 Sias members compromised in 2013 attack

The names, IC numbers, home addresses, email addresses, mobile and landline numbers of members were compromised, said Sias president David Gerald.
The names, IC numbers, home addresses, email addresses, mobile and landline numbers of members were compromised, said Sias president David Gerald.PHOTO: SIAS

The personal details of about 70,000 Securities Investors Association (Singapore) (Sias) members were hacked in 2013, and they were informed about it yesterday.

The names, NRIC numbers, home addresses, e-mail addresses, mobile and landline numbers of members were compromised, Sias president David Gerald told The Straits Times.

Deputy director of the Singapore Computer Emergency Response Team (Singcert), Ms Goh Yan Kim, said that the Cyber Security Agency (CSA) received a tip-off about the data breach in an e-mail.

"This is not related to the SingHealth incident," said Ms Goh. "As Sias is not a public sector agency nor Critical Information Infrastructure, Singcert reached out to them to inform them and asked them to verify the situation."

She said the Sias website has some vulnerabilities which hackers could have exploited. The association has been informed about the technical issues in their website design so that they can take the necessary safeguards.

Mr Gerald said he was surprised when the CSA informed him of the hack yesterday.

He said: "We don't know who did it. We have contacted our IT management company, who are external specialists working with our in-house IT team, and will take their advice on what to do."

He said that the IT specialists were currently investigating the incident and that all Sias members have since been informed.

"We are very sorry to members, especially the older members. Most of them don't have e-mails, so it took a little longer to inform them," said Mr Gerald.

In e-mails to affected members, Sias general manager Richard Dyason reassured them that the records were not tampered with, and were not amended or deleted.

Meanwhile, Mr Gerald said that Sias has taken its database offline and is working on a new website.

A check on the website yesterday evening showed the association's logo and a message below that said: "Sias new website is under development, we should be up in two days. Look forward to your visit soon."

The Sias president said a decision will be made by the management committee on whether the members' details will go back online, or remain offline.

"We are working on how to make our processes more robust," he said. "We had firewall and other precautions in place, but we were told that there is no 100 per cent when it comes to cyber security. Hackers are getting smarter and smarter."

He said the association did not invest very heavily in the IT department due to the limited funds it had to work with.

A version of this article appeared in the print edition of The Straits Times on July 26, 2018, with the headline 'Details of 70,000 Sias members compromised in 2013 attack'. Print Edition | Subscribe