AXA flags up months-old Singapore cyberattack as 72-hour reporting requirement mooted

Singapore at Night

By Phoebe Seers. 11 September 2017.

Perhaps feeling pressure as Singapore eyes a plan for timely mandatory data breach notifications, insurance firm AXA last week told customers that hackers had stolen personal information relating to 5,400 accounts in an incident that appears to have taken place months ago.

Although there is currently no obligation for AXA to notify affected customers of a breach in Singapore under the country's data protection regime, it has been encouraged to do so by the Personal Data Protection Commission and an ongoing consultation seeking feedback on proposals to introduce a mandatory 72-hour mandatory data breach notification regime.

Monetary Authority of Singapore rules require that insurers, among other financial institutions, report any hacking that materially impacts their services to customers or has a widespread impact on operations within an hour of its discovery. 

Referring to the data breach, AXA's data protection officer Eric Lelyon said in an email to customers on Sept. 7: "In the unlikely event you feel that you may have inadvertently disclosed personal data as a result of a phishing attempt in the last few months, it is possible this could be connected to this hacking incident, and if so, we urge you to file a police report," 

The data exposed comprised customers' e-mail addresses, mobile phone numbers, insurance policy numbers and dates of birth. Although AXA says the breach occurred in the past few months, it remains unclear when the insurer discovered it. 

"On its own, the compromised data will not result in identity theft, but we nonetheless see the importance of alerting our impacted customers to be vigilant against potential phishing and risk of identity theft," Jean Drouffe, AXA Singapore's chief executive said in a statement.

The PDPC is investigating the breach. Companies that fail to protect consumers' personal data can be fined up to S$1 million (US$744,000) under the Personal Data Protection Act. 

"Affected individuals should remain vigilant for suspicious emails that may be phishing attempts," a PDPC spokesperson said. "PDPC expects all organisations to adopt sound security measures to safeguard personal data and will take firm action against organisations should there be any breach of the PDPA." 

A consultation put out by the PDPC at the end of July is seeking feedback on a proposal to require notification where a breach poses any risk of harm to the affected individuals, or where the scale of the breach is significant — defined as involving 500 people or more — even where there is no risk of harm. If a law was enacted in that form, the AXA breach would likely satisfy both criteria. 

Where the proposed notifying criteria kick in, the PDPC wants organizations to report to it no later than 72 hours after discovering a breach, except when the organization is required to report to a sector regulator such as the Monetary Authority of Singapore, in which case it wants the reporting to take place concurrently. Affected individuals should be told as soon as practicable unless an exception applies. 

Should the PDPC decide to proceed with the implementation of the mandatory breach notification requirement, it may take some time for the new rules to take effect, given that legislative amendments are likely to be required, Charmian Aw, a director at Singapore law firm Drew & Napier, told MLex. 

The absence of a mandatory data breach notification regime leaves Singapore short of international best practice, but it is not unusual. Although the EU, Australia, Canada and most of the states in the US have reporting requirements, Hong Kong, Japan and India do not. 

The PDPC said that the current, voluntary approach to notification has resulted in uneven notification practices across organizations. 

"In some situations, organizations deciding not to notify affected individuals of a data breach may leave them vulnerable to the risk of harm when they remain unaware that their personal data has been compromised and do not take steps to protect themselves," the regulator said in its consultation paper. 

The Monetary Authority of Singapore said in a statement that it had asked AXA to begin a thorough review of its IT security and to remediate control gaps. "We understand that AXA has taken steps to address the vulnerability in its health portal," it said. "MAS takes a serious view of this incident and is investigating the matter."

It is not uncommon for Singapore regulators to cooperate and share information with other regulatory authorities and law enforcement agencies, Aw said. 

"As a financial services regulator, the MAS's focus would typically be on the protection of customer information and the prevention of money laundering, fraud and other types of financial crime arising from data breaches, whereas the PDPC would generally be more concerned about the compromise of personal data and other associated issues, such as identity theft and leakage of sensitive personal information," she said. 

Two weeks before the hack, firms in Singapore's finance sector underwent a simulated cyberattack to test the industry's resilience and response to hackers. 

Insurers were among the 139 financial institutions targeted, which also included banks, finance companies, securities and brokerage firms, industry associations, the Singapore Exchange and the Monetary Authority of Singapore. 

Last October, printer Toh-Shi Printing Singapore, hired by insurer Aviva, was fined S$25,000 by the PDPC for data breaches involving the insurer's policyholders. Nearly 7,800 policyholders received erroneous statements that disclosed personal data on 8,022 individuals, including the policyholders' dependents.

Privacy report