PHOTO: Wilson Wong for Techgoondu.
The latest high-profile victim of a data leak in Singapore, StarHub seemed to have its bases covered when it revealed the unfortunate incident last Friday, just before a National Day long weekend.
The exposure of IC numbers, mobile numbers and e-mail addresses of more than 57,000 customers was detected online, as part of its security team’s surveillance efforts.
No credit card or bank account information is at risk and none of its information systems or customer database has been compromised, it said.
The telecom operator is also doing the right thing by offering credit monitoring service for free for six months through the Credit Bureau Singapore, so if you are notified by StarHub, you can check if your credit has been affected.
What is missing, perhaps, is the “how” of the story. While it is commendable that StarHub has been clear about what was exposed and taken proactive action, the worrying part is how the data was leaked.
If it is sure that none of its systems were compromised, how has the data been exfiltrated and posted online?
To be fair, StarHub has promised to safeguard customer information, by engaging a team of digital forensic and security experts and reviewing security measures, for example.
That said, finding the cause of a data leak quickly is important so that the telco knows where to plug the loophole and prevent more data from being stolen.
It can and should carefully monitor suspicious outbound data traffic and analyse patterns for data exfiltration but ultimately, it has to spend the effort to find and prevent a further leak from the same vulnerability.
A data leak could be due to a variety of factors. An attack from the outside is one common reason, but less usual incidents have involved insider attacks, for example.
StarHub should share its findings with its customers transparently, as its head honcho Nikhil Eapen promised last week. This is critical to winning back trust.
The timing and urgency that the telco shows in this endeavour will also help customers determine if it is a responsible, trustworthy company to do business with.
When rival Singtel got hit by a supply chain cyberattack in February, it took just two days from the time a data leak was established to going public with the news.
StarHub found its customer data posted online on July 6 but took a month to reveal this, preferring to bring in the experts and looking to remove the data from a data dump site.
Every incident is different but you wonder if StarHub could have announced the incident earlier and provided the remedial action, such as the credit monitoring service, afterwards.
It does look better prepared with its current response but then it’s spent a month to work on fixing the leak before announcing it. StarHub, a critical infrastructure provider, might wish to consider putting the information out earlier.
What damage could IC numbers, e-mail addresses or phone numbers cause, you might ask.
Well, think of hackers trying to get into your e-mail by trying out different passwords – once in, they can get control of your other linked accounts, like Amazon, Netflix or Facebook.
Or your phone numbers, proven to be legitimate ones now, might be spammed with calls and messages.
So, it matters that efforts to mitigate a damaging data breach are timely, transparent and useful to victims who are affected by it.
If you’re a StarHub customer who’s affected, do get on the credit monitoring service. Look out for attempts to log in to your e-mail accounts and be vigilant of any suspicious activities online.
