August 9, 2021
The Singapore telco detected a data dump on a third-party site containing personal information of more than 57,000 of its customers.
The telco said in an announcement that it found a document uploaded to a third-part data dump site during an online surveillance in July. The file contained personal information of 57,191 of its customers, including their identity card numbers, mobile numbers, and email addresses. “No credit card or bank account information is at risk”, the company stressed.
StarHub said that the data is at least 14 years old, as the information was of customers who subscribed to StarHub before 2007, and it is not aware of any malicious misuse of the data so far. It did not say on which dump site the document was found, nor did it estimate how long it has been staying on it.
An earlier research by IBM found that on average it would take companies 206 days to discover a breach and another 73 to fix it. If that estimate from two years ago is still something worth benchmarking against, then StarHub’s reaction is fast. During the month since the discovery, the company has also activated an incident management team to assess and contain the situation, launched a digital forensic investigation, and reviewed its security measures.
Another action StarHub took after discovering the file was to “attempt to have the document removed from the data dump site” but it did not explicitly say if the attempt had been successful.
“Data security and customer privacy are serious matters for StarHub, and I apologise for the concern this incident may be causing our affected customers,” StarHub’s CEO Nikhil Eapen said in the press release. “We will be transparent and will keep our customers updated. We will provide support to those affected.”
The support Eapen referred to came in the shape of a six-month complimentary credit monitoring service through Credit Bureau Singapore, as a means to “safeguard their identity and personal information”. StarHub is reaching out to those customers whose data has been compromised via email and the communication to all affected customers is expected to be completed within the next two weeks. The recipients need to accept and sign up for the service.
StarHub is only the latest telco to suffer customer data breach. Virgin Media in the UK left a marketing database of nearly one million users “unsecured” last year, while a couple of years earlier Verizon apologised for failing to secure six million customer accounts.
StarHub emphasised that “no StarHub information systems or customer database are compromised”, which is probably the least bad part of the whole incident. However this would still make its customers, or customers of any telcos, nervous. As Verizon said in its 2021 Data Breach Investigations Report, 85% of all breaches involved human errors.
This could also be a subtle dig at Singtel, StarHub’s competitor, which suffered a data breach early this year when personal data including names, addresses, phone numbers, identification numbers, and dates of birth of 129,000 of its customers were hacked.
With telcos increasingly migrating their functions to public clouds, the risk of losing control over their data is also growing, if nefarious players find vulnerabilities in the cloud infrastructure. A recent report published by American cybersecurity company Cyberreason claimed that five Southeast Asian telcos have been hacked since 2017, presumably by state-backed attacks coming out China.
About the Author(s)
You May Also Like