Hackers possibly stole personal data of 79,400 MyRepublic customers, including copies of NRICs

This is the latest incident in a string of cyber attacks in recent months.
This is the latest incident in a string of cyber attacks in recent months.PHOTO: ST FILE

SINGAPORE - The personal data of nearly 79,400 mobile subscribers of MyRepublic here was potentially accessed by hackers, the mobile operator and Internet service provider said on Friday (Sept 10).

This is the latest incident in a string of cyber attacks in recent months.

The details stolen were identity verification documents related to customer applications for mobile services.

MyRepublic said hackers may have accessed data including scanned copies of both sides of the NRICs belonging to Singaporeans and permanent residents, and other personal data of employment and dependent pass holders.

An NRIC contains information including one's name, date of birth and home address. The NRIC number could be used to access official sites.

As for foreigners who are MyRepublic subscribers, hackers could have taken documents such as scanned copies of utility bills that confirm their residential addresses.

Customers who ported an existing mobile service had their names and mobile numbers accessed, said the Internet service provider.

However, it added that there is currently no indication that other personal data, such as account or payment information, was affected.

MyRepublic systems were not compromised and there was no operational impact on MyRepublic's services, the company added.

As scans of identity documents and mobile numbers might have been stolen, affected customers could be hit by more mobile spam messages or phishing attempts in the coming weeks, said Dr Stas Protassov, technology president of cyber-security firm Acronis.

Cyber crooks could also try to hijack their identities.

“I would expect some impersonation attacks and identity thefts that could lead to a victim’s accounts for services being taken over,” said Dr Protassov.

He added that some crooks might even create new accounts in the victim’s name to conduct fraudulent activities.

“No stolen data goes to waste these days,” he said. “If the immediate threat actors can’t profit from your data, they will sell it to someone who can.” 

On Aug 29, MyRepublic  discovered the unauthorised data access on a third-party data storage platform used to store the personal data of mobile customers.

Access to the data storage facility has since been secured, said the mobile operator.

Its cyber-incident response team has also been activated, including a team of external expert advisers such as KPMG, to work closely with MyRepublic's internal information technology and network teams to resolve the incident.

MyRepublic has notified the Infocomm Media Development Authority and the Personal Data Protection Commission of the issue.

The commission said it is aware of the incident and has contacted MyRepublic for more information. 

Apologising for the inconvenience caused by the incident, MyRepublic chief executive Malcolm Rodrigues said in a statement that the company is contacting customers and "will continue to support our affected customers every step of the way to help them navigate this issue".

"We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again," he added.

While there is no evidence that any personal data has been misused for now, MyRepublic said it will offer all affected customers a complimentary credit monitoring service through Credit Bureau Singapore.

Under the service, the bureau will monitor customers' credit reports and alert them of any suspicious activity.

The maximum fine for a data breach is $1 million now.

But firms can soon be fined more - up to 10 per cent of their annual turnover in Singapore, or $1 million, whichever is higher.

The higher fine is slated to take effect at least 12 months from Feb 1 this year.

The MyRepublic attack comes after other mobile operators here were impacted by data breaches.

Last month, StarHub said that the identity card numbers, mobile numbers and e-mail addresses belonging to nearly 57,200 customers had been leaked online.

In February, Singtel revealed that the personal data of 129,000 of its customers was extracted by hackers during a breach of Accellion's file-sharing service, which is used by the telco.

There were also at least three reported ransomware attacks last month. One affected the personal data and clinical information of nearly 73,500 patients of a private eye clinic.

The information included names, addresses, identity card numbers, contact details and clinical information such as patients' clinical notes and eye scans, said Eye & Retina Surgeons on Aug 25.

On Aug 16, insurer Tokio Marine Insurance Singapore said it was hit by a ransomware attack.

It said at the time that there was no indication of a breach of customer information and confidential information of the Tokio Marine Group.

On Aug 19, The Business Times reported that Singapore-based tech company Pine Labs fell victim to ransomware too.

The firm is a Temasek-backed payments platform.

Hackers were said to have stolen confidential documents between Pine Labs and several Indian banks, and held the information hostage.

Dr Protassov said the recent increase in data breaches could be due partly to increased use of digital services amid the pandemic, resulting in more data being generated and badly configured databases.

There are also more hackers now with more tools at their disposal, and at the same time more instruments to detect cyber attacks which lead to a higher number of cases being reported.

“Often times, attackers repeat what worked on one victim against other targets,” said Dr Protassov. 

“They develop a playbook of successful attacks and apply it at a larger scale whenever possible.”