We finally know some of the details regarding the latest Singtel hack and it’s not pretty.
Having completed its initial investigations regarding the breach, the company’s now finally able to ascertain which of the files on its third party Accellion program were accessed illegally.
Tons of customer data has been compromised, including personal information of about 129,000 Singtel customers. These include sensitive details like NRIC numbers, names, date of birth, mobile numbers and addresses.
On top of that, the company’s also confirmed that the bank account details of 28 former employers were leaked, as well as the credit card info of 45 staff members of a corporate customer.
If you’re one of the affected, expect Singtel to reach out to you soon on actions you can undertake. Also to expect; corporate bullshit on how sorry they are.
As for the timeline of events, the breach was suspected to have occurred almost a month beforehand. Evidently, it was through a previously unknown exploit present on the Accellion FTA program.
Despite claims by its makers to the contrary, it seems like the program isn’t as secure as it’s supposed to be.
Singtel claims it has patched the version they were using multiple times over the last few months, with the last vulnerability patch done on Dec 27 2020.
Then, on Jan 23, they got another advisory warning from Accellion, mentioning that the patches they’ve been issuing the past few months were basically useless at addressing a new vulnerability.
To their credit (according to Singtel), Singtel took the system completely offline that very same day. It wasn’t until Jan 30 (when they were patching the system again) that the data theft was discovered.
Strangely, the company claimed that it was only on February 9 that they finally managed to verify which files were copied. Even then, it still took 2 more day before they finally fessed up to the public.
We don’t have the full details of the breach yet but what’s known is incredibly shameful.
Shameful due to the lack of security that led to the breach (this one isn’t Singtel’s fault) and shameful that it took so damn long for Singtel to finally man up and let its customers know what went down (this one totally is).
Why did the company take so long to announce the theft? They could’ve made an initial announcement on the day they found out (Jan 30) or even on the date they found out which files were stolen (February 9).
We only find out the details now on 17th February?!
Why the wait if it wasn’t to cover their asses?
As a current Singtel customer, I’m incredibly pissed off about this.
We’ll have more on the Singtel hack once we get more information.