SINGAPORE - About 62,000 e-mails from the public, businesses and customers of local security firm Certis, some containing NRIC and credit card numbers, may have been accessed by cyber criminals, the company said on Friday (April 9).
This includes customers of Certis' safe deposit box service. The e-mails all came from a customer service account belonging to the company, customerservice@certisgroup.com
The Personal Data Protection Commission (PDPC) said it is investigating the matter.
The incident is the second reported recent data breach in a week.
On Monday, it was reported that the personal data of about 30,000 people who used the services of the National Trades Union Congress' Employment and Employability Institute (e2i) may have been exposed to hackers.
Earlier, local furniture retailer Vhive said that its server was hacked on March 23. This resulted in customers' personal details being leaked online.
Certis said on Friday it has begun scanning all the e-mails to check for personal data that could have been exposed to crooks - of the ones done so far, some contain information such as NRIC and credit card numbers.
The company said it was alerted to the incident after several people received phishing e-mails from an e-mail account presumably from Certis. The e-mails were sent between March 16 and 17.
While the e-mails could have been accessed by hackers, Certis' customer database, stored elsewhere, was not affected.
"Our IT team immediately conducted an investigation, and we were able to conclude that this is an isolated incident," said Certis in a statement.
"The phishing e-mails did not originate from our customer service e-mail account on the Microsoft Office 365 cloud, and no customer database had been compromised."
Microsoft Office 365 is a suite of subscription-based online productivity tools such as for word processing and e-mails.
However, investigations later found that there was unauthorised access into the Certis e-mail account.
"Our IT team took urgent steps to strengthen our authentication processes and scanned affected computers. No further unauthorised access has been detected," said the company.
The steps include increasing the frequency of changing passwords and putting in place two-factor authentication.
The security firm said investigations also revealed that the phishing e-mails could be part of a wider phishing attack targeting Microsoft Office 365 e-mail accounts.
The company called in external cyber-security experts to investigate and assess the impact on affected individuals.
It is working with cyber-security firms to implement more measures to prevent a similar incident from happening again and will also reinforce cyber-security training for employees.
Certis workers must complete mandatory cyber-security training annually, including a module on how to identify phishing e-mails.
The company made the incident public only now because the complexity of the investigations meant "it has taken time to investigate the nature of the incident and assess the impact on affected individuals", it said.
Certis added that, as a precaution, it is progressively alerting affected individuals who could be at risk.
The firm has also engaged the services of an identity theft monitoring provider to help alert affected people when any potential misuse of their personal data is detected for one year. This is provided to them at no cost.
Certis assured its safe deposit box customers that security systems and checks are in place to prevent any unauthorised access to the boxes. For instance, access to the boxes requires photo ID verification and dual-key access.
As for the customerservice@certisgroup.com e-mail account, Certis said that it is safe to send or receive e-mails from this account following the steps it has taken.
Apologising for the incident, Mr Ronald Poon, Certis' chief executive for Singapore, said: "Our e-mail system will undergo further reviews to mitigate vulnerabilities and enhance the protection of our data, and that of our customers... Our operations remain secure and unaffected."
Dr Stas Protassov, the co-founder and technology president of cyber-security firm Acronis, said affected people should beware of any suspicious e-mails, especially those claiming to be from Certis, due to the higher risks they face of getting personalised malicious e-mails.
"As some credit card details might have been stolen, (people) should also monitor transaction logs carefully in the next few weeks," he added.
On why there has been a recent string of data breaches, Dr Protassov said that as digital transformation moves forward, more data is gathered and spread across more platforms - without proper supervision.
He added companies are getting better at detecting the breaches - but not better at preventing them. Another possible reason why there are more data breaches reported has to do with regulations, he said.
Changes to the Personal Data Protection that kicked in on Feb 1 require a data breach to be notified to the PDPC if it poses a risk of significant harm, or the breach relates to the personal data of 500 or more people, noted law firm Pinsent Masons MPillay.
"Yet, many companies are still not protecting data across their infrastructure as well as they could, an area all companies should aim to improve this year," said Dr Protassov.
On Tuesday, the Cyber Security Agency of Singapore advised individuals to remain vigilant against possible phishing campaigns and to take measures to secure their online accounts, in the wake of recently reported data breaches on Facebook, Vhive and e2i.
"Businesses are advised to adopt appropriate cyber-security measures to secure their infrastructure and data to reduce the risk and impact of a data breach," said CSA in a Facebook post.
Those with queries and need support can contact Certis at ITinvestigation @ certisgroup.com or call the company on 6747-2888.
