More than 57,000 StarHub customers' personal data leaked

Starhub's cybersecurity team found an illegally-uploaded file containing the personal data of its customers on a third-party data dump website.
Starhub's cybersecurity team found an illegally-uploaded file containing the personal data of its customers on a third-party data dump website.PHOTO: ST FILE

SINGAPORE - The identity card numbers, mobile numbers and e-mail addresses belonging to 57,191 StarHub customers have been leaked online, six months after a similar leak of Singtel customers' personal data.

In a statement on Friday (Aug 6), StarHub said its cyber-security team discovered the data breach on July 6 when it was performing online surveillance.

The team found an illegally uploaded file containing the personal data of its customers on a third-party data dump website. The affected customers had subscribed to StarHub services before 2007.

Apologising for the leak, Mr Nikhil Eapen, StarHub's chief executive, said: "Data security and customer privacy are serious matters for StarHub. We will be transparent and will keep our customers updated. We will provide support to those affected."

The telco said no credit card or bank account information is at risk. None of its information systems or customer database has been compromised, it added.

There is also no indication so far that any data in the leaked document has been maliciously misused, the telco said.

StarHub is progressively notifying affected customers via e-mail over the next 14 days.

The telco is offering six months of complimentary credit monitoring service through Credit Bureau Singapore to safeguard affected customers' identity and personal information. Customers need to sign up for this service by responding to the e-mail notification.

StarHub said it has taken the following actions since July 6:

- Activated an incident management team to assess and contain the situation;

- Engaged a team of leading digital forensic and cyber-security experts to launch an investigation;

- Attempted to have the document removed from the data dump site; and

- Took immediate and appropriate actions to review existing security measures to protect core infrastructure and systems.

Mr Eapen said StarHub will continue to "take all protection measures" to ensure customer information is safe.

"We are actively reviewing current protection measures and controls in order to implement and accelerate long-term security improvements," he added.

In February, Singtel had revealed that the personal data of 129,000 of its customers was extracted by hackers during a breach of a third-party file-sharing system used by the telco.

Information such as names, addresses, phone numbers, identification numbers and dates of birth were taken, in varying combinations, by attackers, who also stole the bank account details of 28 former Singtel employees.

The file-sharing service was provided by cloud-sharing company Accellion, which informed its customers of a vulnerability in its system in December last year.

The Straits Times has learnt that some of the stolen information might have been put up on the Dark Web, on a site belonging to a group of ransomware hackers.

The Personal Data Protection Commission (PDPC) said: “StarHub has notified PDPC. We have reached out to them for more information.”