When you find that you’ve been hacked and your customers’ sensitive information has been leaked, it’s hard to come out smelling like roses, as the Singtel hacking case this month shows.
The Singapore-based telecom operator yesterday disclosed that 129,000 customers had their NRIC numbers and some combination of their names, dates of birth, mobile numbers and addresses stolen in a case that first came to light last week.
In addition, the bank account details of 28 former Singtel employees, along with the credit card details of 45 staff of a corporate customer with Singtel’s mobile service have also been stolen. That, along with “some information” from 23 enterprises.
With the exception of the “some information” part which seems vague, this is a rather transparent account of the damage done by the cyberattack, which was carried out on a supplier of a file sharing service that Singtel offered.
This 20-year-old offering, made by Accellion, was supposed to be near its end of life by end-April, but apparently it still held data that could now be sold and traded by cyber criminals.
Looking through the statement that Singtel put out yesterday, you’re glad to see that Singtel hadn’t simply blamed the episode on its supplier, which was the victim of a sophisticated attack earlier.
Instead, Singtel head honcho, Yuen Kuan Moon, apologised “unreservedly” for the data theft that had impacted its customers.
Now, whether this would head off any sort of legal suits afterwards, which the affected companies may file against Singtel or Accellion, is a question to be answered later.
What’s clear are the lessons that this Singtel hacking case has for many businesses now struggling to cope with emerging cyber threats and the potential fallout from a data breach.
First, the transparency. By quickly investigating the data breach and reporting the extent of the damage, Singtel is not just complying with legal requirements for critical infrastructure providers but also helping customers assess their risk of exposure.
Second, owning up. This was a supply chain attack, which means a Singtel supplier and not Singtel itself was directly attacked. Increasingly common, such attacks are hard to ward off but ultimately still impact lots of end customers.
Ultimately, of course, the buck stops with Singtel, since it has to answer to its customers. It’s good to note that it took two days, from February 9, when it established that files were taken as a result of a breach, to go public with the news.
Compare this with how Singapore’s Ministry of Health responded to the theft of HIV patients’ data just two years ago. It took more than two years after it found out about the breach to reveal the incident to the public.
There are other examples, both good and bad, of responses to a data breach. In October last year, after Lazada had the names, phone numbers and partial credit card numbers of some 1.1 million accounts stolen, the e-commerce provider came out to say the data was “out of date” by 18 months.
That’s a pretty strange assertion to make. Do you change your name, phone number or credit card number every 18 months? If not, then clearly, the data stolen could still be relevant and customers should not be made to think otherwise.
To its credit, Lazada did explain to users in a clear FAQ how to check if their accounts were affected and what to do afterwards. That should be the minimum today.
Indeed, a clear explanation is what Singtel has put out as well on its website. It also said it would contact affected customers to assist them in managing potential risks.
It’s true that a cyberattack can hit anyone, including the most well-defended companies and government agencies, including the United States’ National Security Agency.
However, how you mitigate the fallout matters. How you assist your affected customers and users will define how much trust they still place on you after the incident.