Unknown personal information was exposed for about 79,000 My Republic mobile members, the company confirmed.
An “unauthorized data access issue” occurred on August 29, according to the Singapore-based ISP and mobile operator. A third-party data storage platform utilized by My Republic to store the personal data of its mobile clients was targeted by the hack, the company said.
This contains a variety of forms of identification proofs, according to the carrier:
- Citizens of Singapore, permanent residents, and holders of employment and dependent passes both sides of their National Registration Identity Cards (NRICs), which are mandatory identity cards issued to Singaporeans and permanent residents of the country. In addition to names and photographs, NRICs also provide dates of birth, home addresses, countries of origin, race, and gender
- Inhabitants of other countries scannable utility bills, for example, are proof of residential address documentation.
- Transferring a mobile service names and cell phone numbers.
- There was no compromise of My Republic’s internal infrastructure or account numbers or payment information, according to My Republic.
According to Threatpost, NTT Application Security’s vice president of strategy, Setu Kulkarni, has a few concerns about the security of the data.
A “data event” like this occurs because of a lack of respect for basic principles of confidentiality and integrity, Kulkarni added. There’s a major systemic problem with the way protection for this essential data is implemented. “This incident is being recorded as unauthorised data access, which is a serious concern.”
Even more so when it comes to protecting data stored on third-party infrastructure.
Simon Aldama, lead security advisor at Netenrich, told Threatpost that “electronic breaches such as this show a worrying trend” notwithstanding the continuing investigation. Data breaches triggered by threat actors undermining a vendor, partner or supplier’s infrastructure have affected 51 percent of companies, with the most noteworthy being Accellion, Audi and Volkswagen. Why? Organizations are focusing more on post-breach incident, continuity and crisis management than on pre-breach risk workstreams like asset, vulnerability and threat management.'”
Business-to-business partnerships need accountability for organizations that rely on third-parties for sensitive data storage, processing, and transfer.
There are attestations that vendors and partners are employing appropriate risks management methods and technology to protect personally identifiable information, such as the National Registration Identity Card information, he said. Finances losses, lawsuits and compliance penalties cost significantly more than the strategic expenditures required to avoid the incident from happening in the first place.