The Biggest Data Breaches in Southeast Asia

The Biggest Data Breaches in Southeast Asia

For the first time ever, cyber incidents – including data breaches – rank as the most serious business risk globally, according to the Allianz Risk Barometer 2020. Just seven years ago, the same threat held a distant 15th position in the top menaces list for companies around the world.

Although not all the firms from ASEAN countries included in the report (Indonesia, Malaysia, Philippines and Singapore) consider cyber incidents as their top business risk priority, the region nonetheless mirrors a global trend that has seen a growing awareness of cyber threats in recent years.

Incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions, according to Marek Stanislawski, deputy global head of cyber at Allianz Global Corporate and Specialty (AGCS).

The average organisational cost of a data breach in ASEAN is S$3.6 million (US$2.62 million) and the average number of records per breach is 22,500. Although these figures perform better than the global average (US$3.92 million and 25,575 number of records), they are still reason for concern among CIOs and CISOs in the region, as the Allianz Risk Barometer demonstrates. Even more so since 96% of Singaporean businesses reported suffering a data breach between September 2018 and September 2019.

With the aim of encouraging (rather than scaring!) CIOs to step up their data security, below we have compiled a list of the most serious data breach incidents in the ASEAN region during the past years. We have also included expert advice on what to do to prevent them.

Singapore, December 2019: government vendors under attack

2019 ended with sombre news for Singapore’s cybersecurity. Personal data pertaining to 2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) personnel was put at risk and could have been leaked.

ST Logistics, a third-party vendor employed by the government organisations which provides logistic and equipping services, said that the potential breach was a result of a recent series of email phishing activities involving malicious malware sent to its employees’ email accounts. The system affected held full names and NRIC numbers and a combination of contact numbers, email addresses or residential addresses of Mindef and SAF members of staff.

In a different and unrelated attack, the data of 120,000 individuals, including 98,000 SAF servicepeople, was found to have been infected by ransomware in early December. On this occasion, the server affected belonged to another vendor that provides healthcare training to SAF.

Data stored in the affected server included personal information of students and applicants, such as full names, NRIC numbers, dates of birth, home addresses and e-mail addresses.

The investigation of the incident concluded that the breach was a random and opportunistic attack on the server and there was no evidence that the data was copied or exported.

Thailand and Vietnam, March 2019: Toyota suffers a chain of data breaches

In March 2019, Japan’s Toyota Motor Corporation revealed that unauthorised access had been detected on servers at its subsidiaries in Thailand and Vietnam.

On its Thai website, Toyota issued a notice stating that the company was “aware of a possibility that some of Toyota’s entities in Thailand were targeted by a cyberattack and that some of its customer data may have been potentially accessed. While we have no evidence of customer information loss at this moment, details are currently under investigation, and we intend to share further specifics, if any, as soon as details are available.”

A similar notice was published on its Vietnamese website and to date, there are no further details as to who was the attacker, which personal data might have been breached and how many customers might have been affected. Toyota Vietnam and Toyota Thailand haven’t replied to CIO ASEAN’s request for information.

Philippines, January 2019: Cebuana’s marketing server breached and the mysterious case of the DFA

More than 900,000 clients of Philippine-based pawnshop Cebuana Lhuillier (popularly known as Cebuana) were affected by a data breach at the beginning of 2019. According to the pawnshop and remittance company, the figure represents only 3% of its total clientele.

On the official statement released by Cebuana, it was revealed that customers’ compromised information included date of birth, addresses and source of income. It also said that transaction details were not compromised and that the company’s main servers remained “safe and protected”.

The breach involved an email server used for marketing and although attempts to infiltrate one of its servers were detected on January 15, unauthorised downloads went back to August 2018.

2019 didn’t start well for the Philippines, as on top of the Cebuana case, concerns over the security of Filipinos’ passport data were raised after Foreign Secretary Teodoro Locsin claimed that an outsourced company “took all the [citizens’ passport applications] data” when its contract terminated and was not renewed.

However, the Department of Foreign Affairs denied afterwards that a data breach had occurred and said that it had “full control” of passport data belonging to Philippines’ citizens.

Singapore, January 2019: second health data breach in six months

Singapore’s Ministry of Health revealed last January that confidential information belonging to 14,200 people diagnosed with HIV was stolen and leaked online.

The compromised personal data included names, contact details (phone number and address), HIV test results and other medical information of some 5,400 Singaporeans and 8,800 foreigners dating up to January 2013.

The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.

The person behind the breach was Mikhy Farrera Brochez, a 33-year-old US citizen who lived in Singapore between 2008 and 2016. Farrera Brochez was found guilty on several counts, including transmitting threats for extortion and illegally transferring the identification of another person, by a US court and given a sentence of two years in jail in September

Farrera Brochez used to be the partner of Ler Teck Siang, the former head of Singapore’s National Public Health Unit, who was convicted for helping him falsify his medical records to disguise the American’s HIV-positive status to enter the country.

Until 2015, foreigners with HIV were not allowed to visit the island state, even as tourists. Today, any visitor who wants to stay in the country for more than 90 days, including for work, is subject to mandatory medical screening to guarantee that they are not HIV positive.

Singapore, July 2018: the city-state suffers its largest data breach

In summer 2018 Singapore was subject to the largest data breach in its history with 1.5 million patients to SingHealth’s specialist outpatient clinics affected by it, including Prime Minister Lee Hsien Loong and several ministers.

Personal information stolen included names, national registration identity card numbers, addresses, gender and dates of birth. 160,000 patients had details related to outpatient dispensed medicines as well.

During the committee of inquiry (COI) set to investigate into the events and contributing factors leading to the cyber-attack it was established that it took six days since the attack began to be discovered and halted because the integrated health information systems (IHiS) staff initially thought that no data had been stolen. The COI also concluded that IT gaps and staff missteps contributed to the incident.

Among the “top priority” recommendations proposed by Solicitor-General Kwek Mean Luck to Singapore’s healthcare institutions to work on were raising awareness of cybersecurity and tighten control of privileged administrator accounts.

Philippines, May 2018: Wendy’s and Jollibee asked to take preventive measures against data breaches

The National Privacy Commission of Philippines (NPC) gave popular fast-food chain Jollibee Foods Corporation (JFC) 10 days in May 2018 to come up with a plan to rehabilitate the vulnerabilities on its website, which could expose the data of millions of customers in the case of a breach.

In addition to this, the NPC also ordered Jollibee to “employ privacy by design” in re-engineering JFC Group’s data infrastructure.

The NPC emitted these cautionary warnings after Wendy’s, another US fast-food chain with operations in the Philippines, was subject to a data breach earlier in the year.

Over 80,000 records, including users’ personal data, were exposed following infiltration by hackers of Wendy’s Philippines website.

The NPC reported that around 82,150 records of customers and job applicants including names, addresses, passwords, payment method and transaction details were compromised in the leak.

In relation to the case, the NPC issued an order addressed to Wendy’s in the Philippines to inform users affected by the data breach. The document gave a 72-hour extension for the fast-food chain company to comply.

“On an analysis of the information exfiltrated, it can be ascertained that the exposure of certain sensitive personal or financial information within the database puts the affected data subjects in harm’s way,” the NPC’s order states.

Thailand, March 2018: True Corp’s data gaffe

In March 2018 security researcher Niall Merrigan revealed that the identity documents of around 45,000 customers of True Corp, Thailand’s second-biggest mobile network and the flagship company of billionaire Dhanin Chearavanont’s Charoen Pokphand Group, had been exposed.

Merrigan discovered the personal details belonging to customers of True Corp’s e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.

The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driving licences and possibly passports.

Merrigan said that True Corp was wrongly assuming that the incident was a hack, but since there was no security on the data bucket, anybody could have found and downloaded the files.

Malaysia, October 2017: Fiasco at the Malaysian Communications and Multimedia Commissions

In what is Malaysia’s darkest data breach episode to date, more than 46 million mobile subscribers’ data was stolen and leaked onto the dark web.

Considering that the state has a population of 32 million, it is believed that the whole country was affected, including foreigners using pre-paid mobile phones.

The leaked information includes mobile numbers, unique phone serial numbers and home addresses.

Personal information from multiple Malaysian public sectors and commercial websites were also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning.

Although the Malaysian technology news website claimed that it reported the breach to the Malaysian Communications and Multimedia Commission (MCMC) after receiving a tip-off, the watchdog asked to take the news article down.

The tech website was informed that someone was trying to sell huge databases of personal details from at least 12 Malaysian mobile operators for an undisclosed amount of Bitcoin on its forums.

A vast amount of personal data was also stolen from and six different official Malaysian organisations, including the Malaysian Housing Loan Applications and the Academy of Medicine Malaysia. founder Vijandren Ramadass told The Star that all information it had received on the matter was handed over to the MCMC.

The MCMC only accepted the data breach a day later in a press statement released on Facebook, later confirming that 46.2 million mobile subscribers were affected by the data breach.

Singapore, September 2017: Reputation debacle for AXA Insurance and Uber

In September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company’s online health portal.

Information stolen included email addresses, mobile numbers and date of birth. However, AXA was quick to reassure that no other personal data, including name, postal addresses, financial details, medical records or claims history, had been exposed.

Ironically, in 2014 the insurance corporation had introduced an online risk insurance service in the city-state to protect customers and businesses against cyberattacks.

And in December, just a couple of months after AXA’s episode, Uber disclosed that personal data belonging to 380,000 of its customers in Singapore had been subject to a leak the previous year.

The popular but controversial riding company only released the news after disclosing that the details of 57 million worldwide Uber riders and drivers had been exposed. Not only that, Uber paid US$100,000 to the hacker responsible to destroy the data in an effort to cover up the leak.

This move, which was approved by Uber’s former CEO Travis Kalanick, didn’t work too well for the organisation and the company’s CSO, Joe Sullivan, was sacked shortly after the incident made headlines. However, to this day Uber has avoided paying any significant fines in regard to this episode.


Call Now Button