The Accellion hack might have gotten overshadowed by the amount of disruption caused by the SolarWinds hack, but it surely is not lagging by any means when it comes to the outreach of the attack. Critical organizations in the U.S., Australia, and New Zealand have already reported of being indirectly affected by the Accellion hack and now joining this list is Singapore telco giant – Singtel. The company on February 11, issued a statement where it informed all its customers of a security incident through a third-party product, FTA, from Accellion. At the time, the investigation was ongoing, and the extent of the attack was unknown. But now in the latest statement, the telco giant has confirmed that 129,000 of its customers’ data has indeed been breached.
Timeline of the Singtel Data Breach
Accellion which first found out about the zero-day vulnerability in mid-December (tentatively December 13, 2020) initiated a patch almost immediately and started rolling it out to all its customers using the legacy FTA file transfer system. However, Singtel was first contacted for a patch only on December 23, 2020.
Following the trail, we have formulated the entire timeline as follows:
- December 23, 2020: Accellion first informed Singtel of the vulnerability.
- December 24, 2020: Singtel was provided the first patch which its engineers applied instantaneously.
- December 27, 2020: Singtel applied the second patch.
- January 23, 2021: Accellion issued another advisory citing that the discovery of a new vulnerability against which the December 27 patch was ineffective. Singtel took down the FTA system instantly.
- January 30, 2021: Accellion provided another patch to fix the second vulnerability, but an anomaly alert got triggered while Singtel engineers tried to apply it. On checking this alert and running an internal investigation, Accellion informed Singtel that there could have been a possible data breach to their system on January 20.
- February 9, 2021: The joint investigation found that a certain amount of data was indeed exfiltrated from Singtel’s system.
Who was Affected?
As Singtel is the largest telecom company in Singapore, not just Singaporeans but many foreign nationals who frequent Singapore on a work-basis were skeptical whether they were impacted by this data breach. Based on the investigations and analysis until now, Singtel issued a statement saying that the following data was exfiltrated:
- Personally Identifiable Information (PII) of approximately 129,000 customers containing National Registration Identity Card (NRIC) and certain combinations of the following information: name, date of birth, mobile number, address.
- Bank account details of 28 former Singtel employees.
- Credit card details of 45 corporate customer staff who have Singtel mobile lines.
- Certain Discrete information of 23 enterprises which includes suppliers, partners, and corporate customers.
Singtel is still carrying out a detailed forensic and criminal investigation with the help of cybersecurity experts, the Cyber Security Agency of Singapore (CSA), and the Police. As due diligence, Singtel will be personally informing all affected customers and providing them a free identity monitoring service that will help them counter suspicious activities on the open internet and darknet, using their leaked identities. Additionally, Singtel has already suspended operations of the legacy FTA system whose end of life was announced by Accellion effective from April 30, 2021.
Singtel Fined for Data Breach Previously
Incidentally, while the investigation was going on, the Personal Data Protection Commission (PDPC) of Singapore found Singtel accountable for violating the Personal Data Protection Act for a data breach involving its “My Singtel” mobile app in 2018. The commission has imposed a S$9,000 (US$6479) fine on them. Read the complete story here.