1,355 NUS Society members' personal data stolen, possibly put on sale on Dark Web

NUSS said that affected members had their full NRIC numbers stolen. PHOTO: NUSSOCIETY/INSTAGRAM

SINGAPORE - The personal data of 1,355 National University of Singapore Society (NUSS) members has been stolen after the society's website was hacked early last month, NUSS said on Monday (Nov 1).

When asked by The Straits Times, the university graduate club did not say whether the data involved was encrypted. But it said that affected members had their full NRIC numbers stolen.

Asked if the names of members were also stolen, NUSS would only say that "NRIC numbers which match the names of 1,355 members" had been accessed.

Some members also had a combination of other details accessed, the society said in an e-mail to affected people on Monday afternoon.

This included their date of birth, nationality, gender, marital status, e-mail address, work and personal phone numbers, work and home addresses, vehicle registration number, university degree details, and membership number.

Other information potentially stolen included food and beverage orders, restaurant and event registrations, and feedback sent through the NUSS website.

Other NRIC details or images, as well as payment card or bank account information, were not part of the data accessed.

NUSS said it was alerted on Oct 8 that an unknown person on the Dark Web - the underbelly of the Internet where hackers trade and communicate - claimed to be selling the personal data of society members. The data was taken from NUSS' website, which was hosted by a third-party Web hosting provider.

Investigations found that the hacker had carried out a sophisticated attack on the society's website on Oct 6 and 7, and downloaded some data stored on the NUSS Web server. The main database was not compromised.

The club said it has taken parts of its website offline until they are reviewed, and any security issues have been addressed by the Web hosting provider.

NUSS added that it is "actively reviewing its security measures and processes to ensure an incident like this cannot happen again".

The matter has been reported to the Personal Data Protection Commission and the police.

The maximum fine for a data breach is $1 million. But organisations can soon be fined more - up to 10 per cent of their annual turnover in Singapore, or $1 million, whichever is higher. The higher fine is slated to take effect at least 12 months from Feb 1 this year.

Apologising for the unauthorised data access, NUSS told affected members that crooks could misuse the stolen data to impersonate them.

For example, the criminals could try to open a bank account or obtain a credit card in a victim's name, redirect his mail or port his mobile phone number.

NUSS urged members to keep an eye on their financial accounts for suspicious activities such as unauthorised transactions and changes to account details. It also advised members to check with Singapore Post if their mail has been redirected, should they not get their mail, and to check with their telco if their mobile phone number has been ported to another mobile provider, if their phone loses coverage for a long time.

Members should notify sellers or service providers immediately if they receive goods or services they did not order, or get notifications for them.

Affected members should also be wary of people contacting them to request their data or credentials, even if they appear to know other details about them. This is because cyber criminals could try to trick victims into giving up more information, said NUSS.

Crooks could attempt to contact members through e-mail and SMS messages, or through phone calls by posing as representatives from a government authority or business.

"Please also be vigilant of fraudulent e-mails which appear to be from NUSS," warned the society. "Before replying to an e-mail that appears to be from us, check that the reply is addressed to a genuine @nuss.org.sg e-mail address."

Last month, The Straits Times reported that personal details of Fullerton Health customers were stolen by hackers and hawked online, after a vendor of the private healthcare group suffered a breach earlier that month.

The hackers claimed they had managed to steal the data of about 400,000 people, including insurance policy details of Singaporeans.

Join ST's Telegram channel and get the latest breaking news delivered to you.