A third-party file-sharing system used by Singapore's largest telco, Singtel, has been hacked and customer information may have been compromised, the company said yesterday.
The breach occurred on Jan 20 but for now, the telco assured that its core operations are not affected.
The hack was part of a wider global breach of the File Transfer Appliance (FTA) file-sharing system that recently affected other organisations, including New Zealand's central bank, the Austra-lian Securities and Investments Commission, and the Washington State Auditor's Office in the United States.
Singtel said an impact assessment on the extent of the data breach is being carried out.
"Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks," it said.
The company did not provide details on the data breach and how many customers were affected.
The identity of the hackers and their motives are not yet known.
Singtel said it is contacting affected customers "at the earliest opportunity once we identify which files relevant to them were illegally accessed".
The FTA file-sharing system is provided by US cloud-sharing company Accellion, which informed its customers, including Singtel, of an attack on Dec 23 last year.
Describing FTA as a 20-year-old product near the end of its functionality, Accellion said it suffered a "sophisticated cyber attack" which included exploiting a previously unknown vulnerability. The US firm said last month that fewer than 50 customers were affected.
Singtel said it applied an FTA patch from Accellion on Dec 24, and another one on Dec 27. On Jan 23, Accellion said the Dec 27 patch was ineffective against a new vulnerability, and Singtel took the product offline.
Accellion put out another patch on Jan 30, but Singtel said it received an "anomaly alert" when applying it. The vendor said Singtel's system could have been breached, and the telco confirmed this occurred on Jan 20. "Given the complexity of the investigations, it was only confirmed on Feb 9 that files were taken," Singtel added.
Timeline of events
Dec 23, 2020: Accellion first informs its File Transfer Appliance (FTA) users about a previously unknown vulnerability.
Dec 24: Singtel installs patch from Accellion to plug the vulnerability.
Dec 27: Singtel installs the last available patch from Accellion; no further patch is provided after that.
Jan 23, 2021: Accellion advisory cites a new vulnerability that the Dec 27 patch was not effective against. Singtel immediately takes the system offline.
Jan 30: Singtel attempts to install a new patch to plug the new vulnerability but receives an anomaly alert. The system is kept offline and investigations confirm a Jan 20 breach.
Feb 9: Singtel establishes that files were taken as a result of the breach.
Feb 11: Singtel announces the FTA breach.
The telco said the breach was an isolated incident involving the third-party system, and its core operations remained "unaffected and sound". The FTA system is used to share information internally within Singtel and externally with other stakeholders.
The telco has suspended use of FTA and is investigating with cyber-security experts and the authorities, including the Cyber Security Agency of Singapore (CSA).
CSA's Singapore Computer Emergency Response Team advised users to disconnect the FTA system to perform a thorough check. They should also regularly check for updates, apply patches quickly and monitor their networks for unusual activities, which may suggest data is being stolen from the FTA.
The Personal Data Protection Commission said it is investigating the incident.
Accellion told The Straits Times that it could not comment on specific customers "for their protection". But it was "conducting a full assessment" of the FTA hack with "an industry-leading cyber-security forensics firm".
The company previously said it has been encouraging all FTA customers to migrate to its latest secure file-sharing kiteworks platform, and has fast-tracked plans to end FTA following the cyber attacks.
It remains unclear why Singtel was still using FTA. But Accellion told IT security news site BankInfoSecurity earlier that customers might be reluctant to switch because it meant moving data, which would entail changes to procedures and having to train workers on the new system.
IT security experts said Singtel's hack is part of a trend of crooks targeting vendors and suppliers of major organisations.
"Companies like Singtel are like fortresses... and very hard to penetrate. However, attackers always go after the weakest link, like vendors," said Mr Shane Chiang, chief executive of local cyber-security firm Momentum Z. He cited last year's SolarWinds hacking incident as one such "supply chain attack".
Mr Chiang advised firms to have a way to vet and monitor their vendors on cyber security, and to ensure company IT systems and physical workplaces are secure, even from inside jobs like verifying if access requests are legitimate.
Mr Stas Protassov, co-founder and technology president of cyber-security firm Acronis, said that if customer data was compromised, it could be sold on the black market or to carry out a targeted attack on the victim's company.
For now, he added, no FTA data has been dumped on the Dark Web yet, where, among other things, stolen data is sold.
"If it does contain critical information, the price for that on the Dark Web could be several millions of dollars," said Mr Protassov.