Singtel data breached through hack on third-party file-sharing vendor

Singtel said that its core operations remain "unaffected and sound".
Singtel said that its core operations remain "unaffected and sound".ST PHOTO: KUA CHEE SIONG

SINGAPORE - A third-party file-sharing system used by Singapore’s largest telco, Singtel, has been hacked and customer information may have been compromised, the company said early on Thursday (Feb 11).

The breach occurred on Jan 20 but, for now, the telco assured that its core operations are not affected.

The hack was part of a wider global breach of the File Transfer Appliance (FTA) file-sharing system that recently affected other organisations including New Zealand’s central bank, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the US.

Singtel said on Thursday that an impact assessment on the extent of the data breach is being carried out.

“Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks,” it said.

The company did not provide details on the data and how many customers were affected.

The identity of the hackers and their motives are not yet known.

Singtel said it is contacting affected customers “at the earliest opportunity once we identify which files relevant to them were illegally accessed”.

The FTA file-sharing system is provided by cloud-sharing company Accellion, which informed its customers, including Singtel, of the hack on Dec 23 last year.

Describing FTA as a 20-year-old product near the end of its functionality, Accellion said it suffered a “sophisticated cyberattack” which included exploiting a previously unknown vulnerability. The US firm said last month that fewer than 50 customers were affected.

Singtel said it applied an FTA patch from Accellion on Dec 24 and another one on Dec 27. On Jan 23, Accellion said the Dec 27 patch was ineffective against a new vulnerability, and Singtel took the product offline.

Accellion put out another patch on Jan 30 but Singtel said it received an “anomaly alert” when applying it. The vendor said Singtel’s system could have been breached and the telco confirmed this occurred on Jan 20. “Given the complexity of the investigations, it was only confirmed on Feb 9 that files were taken,” Singtel added.

The telco said the breach was an isolated incident involving the third-party system, and its core operations remained “unaffected and sound”. The FTA system is used to share information internally within Singtel and externally to other stakeholders.

The telco has suspended use of FTA and is investigating with cybersecurity experts and the authorities, including the Cyber Security Agency of Singapore (CSA).

CSA’s Singapore Computer Emergency Response Team advised users to disconnect the FTA system to perform a thorough check. They should also regularly check for updates, apply patches quickly and monitor their networks for unusual activities, which may suggest data is being stolen from the FTA.

CSA said it has not received reports from other Singapore organisations on the FTA incident.

The Personal Data Protection Commission said it is investigating the incident.

Accellion told The Straits Times that it could not comment on specific customers “for their protection”. But it was “conducting a full assessment” of the FTA hack with “an industry-leading cybersecurity forensics firm”.

The company previously said it has been encouraging all FTA customers to migrate to its latest secure file-sharing kiteworks platform and has fast tracked plans to end FTA following the cyberattacks.

It remains unclear why Singtel was still using FTA. But Accellion told IT security news site BankInfoSecurity earlier that customers might be reluctant to switch because it meant moving data, which would entail changes to procedures and having to train workers on the new system.

IT security experts said Singtel’s hack is part of a trend of crooks targeting vendors and suppliers of major organisations.

“Companies like Singtel are like fortresses... and very hard to penetrate. However, attackers always go after the weakest link like vendors,” said Mr Shane Chiang, the chief executive of local cybersecurity firm Momentum Z. He said last year’s SolarWinds hacking incident was such a “supply chain attack”.

Mr Chiang advised firms to have a way to vet and monitor their vendors on cybersecurity, and try to ensure company IT systems and physical workplaces are secure even from inside jobs, like verifying if access requests are legitimate.

“There is no perfect solution and no such thing as being unhackable,” he added.

Mr Stas Protassov, co-founder and technology president of Acronis, said that if customer data was compromised, it could be used by cybercrooks to access a person’s bank details, masquerade as the victim to forge identity documents or commit crimes in his name.

Customer data could also be sold on the black market or to carry out a targeted attack on the victim’s company. For now, he added that no FTA data has been dumped on the dark web yet, where, among other things, stolen data is sold.

“If it does contain critical information, the price for that on the dark web could be several millions of dollars,” said Mr Protassov.


Timeline of Singtel hacking

Dec 23: Accellion first informs FTA users about a previously unknown vulnerability.

Dec 24: Singtel installs patch from Accellion to plug the vulnerability.

Dec 27: Singtel installs the last available patch from Accellion; no further patch was provided after that.

Jan 23: Accellion advisory cites a new vulnerability that the Dec 27 patch was not effective against. Singtel immediately takes the system offline.

Jan 30: Singtel attempts to install a new patch to plug the new vulnerability but receives an anomaly alert. The system is kept offline and investigations confirmed a Jan 20 breach.

Feb 9: Singtel establishes that files were taken as a result of the breach. 

Feb 11: Singtel announces the FTA breach.

LISTEN TO THE BIG STORY PODCAST