Almost 79,400 MyRepublic mobile subscribers have been caught up in a data breach that exposed a range of personal information, the company has confirmed.
The incident raises considerations for security for critical data housed in 3rd-party infrastructure, researchers say.
The Singapore-based ISP & mobile provider stated that an “unauthorised data access incident” took place on Aug. 29. This intrusion was aimed at a 3rd-party data storage platform used to store the personal data of MyRepublic’s mobile customers, the firm noted, in a Fri. website notice.
Proof of Identification
The affected data includes various forms of proof of identification, the carrier acknowledged:
- Singapore citizens, permanent residents & employment & dependent pass holders: Scanned copies of both sides of their National Registration Identity Cards (NRICs), which are compulsory identity documents issued to citizens & permanent residents of Singapore. NRICs include names, pictures, dates of birth, addresses, countries of origin, race & gender;
- Foreign residents: Proof of residential address documents, e.g. scanned copies of a utility bill; which would also include;
- For customers porting an existing mobile service: Names & mobile numbers.
Account numbers & payment information weren’t affected, MyRepublic explained, & none of the company’s internal infrastructure was compromised.
Setu Kulkarni, VP of Strategy at NTT Application Security, commented that he had some questions as to how the data was being protected.
“Basic confidentiality, integrity & availability (CIA) principles continue to be ignored resulting in ‘data incidents’ like this,” Kulkarni outlined.
“While this incident is reported as unauthorised data access, which is serious enough, it likely points to an even more serious systemic issue with the way security for this critical data at rest is being implemented.”
This consideration comes into even greater focus when it comes to securing data housed in 3rd-party infrastructure.
“Although there is an ongoing investigation into the incident, electronic breaches such as this highlight an ominous trend,” Simon Aldama, Principal Security Advisor at Netenrich, warned.
“51% of business have endured data breaches caused by threat actors subverting a vendor, partner or suppliers’ infrastructure, the most notable being Accellion, Audi & Volkswagen. The largest reason for this trend is that organisations focus more on post-breach incident, continuity & crisis management rather than pre-breach risk workstreams like asset, vulnerability & threat management.”
Organisations utilising 3rd parties for sensitive data storage, processing & transfer require accountability through contractual agreements between business-to-business relationships, he added.
Identity Card Information
“Managing vendor & partner risk requires attestations proving they’ve employed risk management practices & proper implementation of technology to protect personally identifiable information such as National Registration Identity Card information,” he noted.
“In the end, financial losses, litigation, & compliance penalties are far greater in cost than the strategic investments required to prevent the incident occurring in the 1st place.”
Data Now Secured
The incident has been contained, MyRepublic observed, because “the unauthorised access to the data storage facility has since been secured.
The firm added that it contacted Singapore’s Infocom Media Development Authority & Personal Data Protection Commission to help get to the bottom of the attack, while tapping KPMG in Singapore to “work closely with MyRepublic’s internal IT & Network teams to resolve the incident.”
“The privacy & security of our customers are extremely important to us at MyRepublic,” Malcolm Rodrigues, CEO at MyRepublic, stated in the website statement. “Like you, we are disappointed with what has happened, & I would like to personally apologise for any inconvenience caused.”
He added, “My team & I have worked closely with the relevant authorities & expert advisors to secure & contain the incident, & we will continue to support our affected customers every step of the way to help them navigate this issue.”
MyRepublic is offering complimentary credit-monitoring service for affected customers, through Credit Bureau Singapore (CBS), & outlined that it’s reviewing its systems & processes, both internal & external, to enhance any cyber-security efforts that it needs to.
Critical for the Provider
Howard Ting, CEO at Cyberhaven, noted that this last point is critical for the provider moving forward.
“This breach is the latest in a string of examples that highlights how most services today involve a supply chain of vendors that can have access to our data,” Ting explained.
“This is an important issue for individuals as well as enterprises. Too often, organisations have no visibility behind the curtain into how their service providers handle and protect their data. This demonstrates the need for more transparency & auditability so that customers can know the risk to their data.”