Singaporean telco leaked personal data of over 57,000 customers

StarHub's breach announcement came a month after discovery of customer file on dump site


Singapore pay TV, internet and mobile phone provider StarHub is in the process of notifying 57,191 customers via email that they are victims of a cyber attack that leaked national identity card numbers, mobile numbers and email addresses.

An August 11th email notifying a customer of the leak was obtained by The Register and reads:

During a proactive online surveillance earlier this month, we discovered, on a third-party data dump website, an illegally uploaded file containing certain limited types of personal information related to your StarHub subscription from before 2007.

In the email, StarHub explains that there is no current evidence that information has been misused, and that an incident management team assessed the situation. Investigations by digital forensic and cybersecurity experts are ongoing.

StarHub claims credit card and bank account information was not compromised, but has nonetheless offered all affected customers six months of free credit monitoring, as long as they act by September 5. Emails will continue to go out to leak victims until August 20, 2021.

All affected customers were StarHub service subscribers prior to 2007. Incidentally, anyone in Singapore with a paid local pay TV subscription service before 2007 was a StarHub customer as up until that year, it was the only pay-TV operator in the city-state.

The data breach was discovered on July 6 but was not announced until August 6th. StarHub told The Register via email that the company suspects the stolen data file was found within a day of it being uploaded to the third-party web site.

Singapore's Personal Data Protection Act 2012 (PDPA) sets out the law on data protection in Singapore. It institutes guidelines on how companies secure and store data, and requirements for notifying victims of a breach under their watch. According to one Singapore-based media lawyer The Register spoke to, the PDPA is a serious regulation but is considered less strict than Europe's GDPR.

The PDPA specifically requires organizations to notify the Personal Data Protection Commission (PDPC) within three days of an assessment if the breach affects more than 500 individuals or is likely to result in significant harm. If significant harm is likely to flow from a leak, the victim also must be notified.

Those contravening the PDPA risk a financial penalty of up to 10 per cent of the organization's annual local turnover or SG$1 million (US$736,900) – whichever is higher.

Although the time from discovery of the incident on July 6 to announcement of the leak was one month, and the timeline from incident to completion of notifying all victims on August 20th is more than six weeks, StarHub told The Register that the organization is in compliance with the PDPA.

"StarHub notified our affected customers progressively from 6 August 2021, in accordance with Section 26D of Singapore's Personal Data Protection Act 2012," StarHub corporate communications assistant VP Cassie Fong told The Reg.

Fong added: "As far as we are aware, this is an isolated incident which involved a data file that contains limited types of information belonging to certain individual customers.

As part of our efforts to rectify the situation, we have investigated and verified the integrity of our network infrastructure. There is no evidence that StarHub's information systems are compromised."

StarHub's advisory for customers details the breach and advises the use of regularly-updated strong passwords that do not include personal information. ®

Broader topics


Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022