Singtel has revealed that 129,000 customers were impacted by a recently disclosed breach, as well as a handful of employees, partners and corporate customers.
The APAC telco giant first notified last week that it was affected by a malicious campaign which appears to have targeted multiple customers of a legacy third-party file-sharing system.
Yesterday it confirmed that over 100,000 customers had personal information compromised, including Singaporean ID cards (NRIC), names, dates of birth, mobile numbers and addresses.
Also exposed in the breach were the bank account details of 28 former Singtel employees, the credit card details of 45 employees of a corporate customer and unspecified information on 23 suppliers, partners and corporate customers.
The firm’s CEO, Yuen Kuan Moon, said it had already begun notifying those affected.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge,” he added. “I want to emphasize that our core operations and functions remain unaffected and sound and this incident involves a standalone system provided by a third-party vendor.”
Other organizations said to have been impacted by exposure to the same product, Accellion’s FTA platform, include the New Zealand central bank and US legal giant Jones Day, although the latter denies it was compromised.
Although attackers appear to have compromised the New Zealand bank in early January via a vulnerability patched in late December, the same isn’t true of Singtel.
It claimed that the threat actors exploited a zero-day vulnerability which it only found out about when Accellion informed the telco on January 23.
“Singtel immediately took the system offline. On January 30, Singtel’s attempt to patch the new vulnerability in the FTA system triggered an anomaly alert. Accellion informed thereafter that the system could have been breached,” it explained.
“Singtel’s investigations later confirmed this and identified January 20 as the date the breach occurred. The FTA system has been kept offline since January 23. On February 9, Singtel established that files were taken as a result of the breach and informed the public two days later on February 11.”