MyRepublic, a telecommunications provider in Asia-Pacific with operations across Singapore, New Zealand and Australia, announced it discovered an unauthorized data access incident on August 29, 2021, and has moved to support its customers in mitigating any possible risk.
The unauthorized data access took place on a third-party data storage platform used to store the personal data of MyRepublic’s mobile customers. The unauthorized access to the data storage facility has since been secured, and the incident has been contained.
The company has notified the Infocomm Media Development Authority and the Personal Data Protection Commission of the issue and will continue to cooperate with those authorities. MyRepublic has also activated its cyber incident response team, which includes a team of external expert advisors such as KPMG in Singapore, to work closely with MyRepublic’s internal IT and Network teams to resolve the incident.
Malcolm Rodrigues, CEO, MyRepublic, said, “My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue.”
Based on MyRepublic’s investigation, the unauthorized access affects 79,388 mobile subscribers based in Singapore. The affected data storage platform contained identity verification documents related to customer applications for mobile services, including:
- For affected Singapore citizens, permanent residents and employment and dependent pass holders — scanned copies of both sides of NRICs;
- For affected foreigners — proof of residential address documents, e.g., scanned copies of a utility bill; and
- For affected customers porting an existing mobile service — name and mobile number.
There is no indication that other personal data, such as account or payment information, were affected. No MyRepublic systems were compromised, and there was no operational impact on MyRepublic’s services, the company says.
The breach is the latest in a string of examples that highlights how most services today involve a supply chain of vendors that can have access to our data, says Howard Ting, CEO at Cyberhaven. “This is an important issue for individuals as well as enterprises. Too often, organizations have no visibility behind the curtain into how their service providers handle and protect their data. This demonstrates the need for more transparency and auditability so that customers can know the risk to their data.”
Although there is an ongoing investigation into the incident, electronic breaches such as this highlight an ominous trend, says Simon Aldama, CISSP, Principal Security Advisor at Netenrich. Aldama adds, “Fifty-one percent of businesses have endured data breaches caused by threat actors subverting a vendor, partner, or suppliers’ infrastructure, the most notable being Accellion, Audi and Volkswagen. The largest reason for this trend is that organizations focus more on post-breach incident, continuity and crisis management than pre-breach risk workstreams like asset, vulnerability, and threat management. Managing vendor and partner risk requires attestations proving they’ve employed risk management practices and proper technology implementation to protect personally identifiable information such as National Registration Identity Card information. Organizations utilizing third parties for sensitive data storage, processing and transfer require accountability through contractual agreements between B2B relationships. In the end, financial losses, litigation and compliance penalties are far greater in cost than the strategic investments required to prevent the incident from occurring in the first place.”
This incident also highlights the importance of vetting third parties who will access your customers’ data, explains Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company. “ An extensive security review should no longer be optional when you’re looking to onboard a solution that could have access to this sensitive data. In addition, you should constantly review the security posture of that service to ensure they’re staying up to date. You should also look for indicators of how seriously the third party takes security.”
There are certain tell-tale signs, Schless says, such as having modern data loss prevention (DLP) capabilities for cloud-based and on-premise resources that can help you gauge confidence in the vendor’s ability to protect your data.
“In the case of a service that stores highly sensitive personal identifiable information (PII), you also want to understand what type of DLP tools they have in place. Any organization that has on-premise or in the cloud should have the ability to implement policies that encrypt sensitive data if it’s accessed or downloaded. Implementing DLP and dynamic data access policies across on-prem resources with zero trust network access (ZTNA) and cloud-based resources with cloud access security broker (CASB) should be required of any organization that allows access to sensitive data of its customers or employees,” Schless adds.
“As part of your security reviews, check to see whether CASB and ZTNA solutions are in place. Not only does this help ensure the protection of your data, but it also shows that the third party takes security seriously and has a modern take on how to secure interactions between users, devices, networks and sensitive data.”
To all affected customers, MyRepublic will provide an offer to take up a complimentary credit monitoring service through Credit Bureau Singapore (CBS). Under this service, CBS will monitor their credit report and alert them of any suspicious activity.