The MyRepublic website. SCREENSHOT: Alfred Siew
When MyRepublic revealed yesterday that the personal data of nearly 80,000 mobile subscribers was potentially stolen, it chose to say that the “unauthorised data access incident” had been “contained”.
However cleverly or carefully that statement was worded, the implications for those affected by this latest data breach are clear – they now risk having their identities stolen to commit fraud.
What hackers may have in their hands here are scanned copies of a Singaporean’s or permanent resident’s NRIC, which contains details like name, date of birth and address. For foreigners, this could be utility bill meant to verify one’s address.
A hacker who gets hold of this suddenly has a good amount of information to build towards a potential scam.
You should hope that your bank or credit card company has good enough checks to prevent a scammer from impersonating you in a call, for example.
An address is also a nice detail to have to reverse-search for any public activities you have performed with it. Registered a home business or set up an Internet website with it? That’s more data to be harvested.
So, while MyRepublic may say that the incident has been contained, what it means is that it will only affect 79,388 mobile subscribers. For these unfortunate victims, the fallout could be just beginning.
The fact that the incident took place on a third-party storage platform should do little to absolve MyRepublic of its responsibilities here. Keeping customer data safe is its job.
That said, users can also reduce risk by using SingPass to verify their identities when signing up for services. This means no more snapping photos of one’s NRIC and uploading them onto a website.
Perhaps what makes this latest incident more worrying is how frequently the recent attacks against Singapore telecom operators and Internet service providers have occurred this year.
Just last month, StarHub had the NRIC numbers, phone numbers and e-mail addresses of more than 57,000 customers stolen.
And in February, Singtel said 129,000 customers had their NRIC numbers and some combination of their names, dates of birth, mobile numbers and addresses stolen.
Plus, the bank account details of 28 former Singtel employees, along with the credit card details of 45 staff of a corporate customer with Singtel’s mobile service were also stolen.
Short of the penalties from the government regulator that are likely to follow, what can be done to shore up the cyber defences of these critical infrastructure providers?
It is impossible to keep out all attacks. But is it time to subject these important players in Singapore’s digital ecosystem to more stringent measures, such as regular independent audits, to ensure that they mitigate their technology risks?
How do their cybersecurity measures compare to widely accepted practices in similar industries in other countries? Can they band together as an industry to share insights to prevent similar incidents?
Ironically, MyRepublic had launched a cybersecurity service for small and medium enterprises just a month ago. What questions, you’d imagine, will these customers have for MyRepublic now?
To be sure, it’s a good thing that MyRepublic, as did StarHub earlier, is offering a free credit monitoring service for those affected. It is a signal that the industry recognises the impact of these incidents.
However, these recent incidents should worry not just users but also government regulators enough to mandate stronger protections for personal data.
If the setups at any critical infrastructure provider is not up to scratch, the result should not just be a fine, but a clearly validated commitment to audit its systems properly and beef up cybersecurity.
Again, it’s not possible to keep out hackers all the time but it is possible for these big players to learn from past lessons and reduce the risks of yet another data breach.
