PSA: MyRepublic hit by cyberattack with close to 80,000 subscribers affected *updated*
PSA: MyRepublic hit by cyberattack with close to 80,000 subscribers affected
*Updated: 10 September 2021 23:00 with some expert commentary*
MyRepublic Singapore announced today that it was the victim of a cyberattack on 29 August 2021.
According to the company, the “unauthorised data access” targeted a third-party data storage platform used to store the personal data of MyRepublic’s mobile customers. This attack compromised the data of 79,388 mobile subscribers based in Singapore.
The unauthorised access to the data storage facility has since been secured, and the incident has been contained with MyRepublic notifying both the Infocomm Media Development Authority (IMDA) and the Personal Data Protection Commission (PDPC) and having appointed external expert advisors KPMG to work closely with MyRepublic’s internal IT and Network teams to resolve the incident.
So far, there is no indication that other personal data, such as account or payment information, were affected.
The data lost contains the identity verification documents related to customer applications for mobile services, including:
- For Singapore citizens, permanent residents and employment and dependent pass holders — scanned copies of both sides of NRICs.
- For foreigners — proof of residential address documents e.g., scanned copies of a utility bill.
- For customers porting an existing mobile service — name and mobile number.
According to a discussion thread on the HardwareZone forums, some forum members said that they had been affected despite having unsubscribed from MyRepublic services.
Malcolm Rodrigues, CEO, MyRepublic said:
While there is no evidence that any personal data has been misused, as a precautionary measure, we are contacting customers who may be affected to keep them informed and provide them with any support necessary. We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again.
For those affected, MyRepublic said that they will provide all affected customers with an offer to take up a complimentary credit monitoring service through Credit Bureau Singapore (CBS). Under this service, CBS will monitor their credit report and alert them of any suspicious activity.
Customers who wish to take advantage of this offer or if they have any further concerns or questions may contact MyRepublic here.
Commenting on the MyRepublic Singapore incident, Alex Lei, Senior Vice President, APJ at Proofpoint cautioned saying that when personal information was leaked, there could be a marked increase in smishing attacks, as well as identity fraud, with text mobile scams growing during the pandemic.
Consumers trust mobile messaging and they are much more likely to read and access links contained in text than those in email. This level of trust paired with the reach of mobile devices makes the mobile channel ripe for fraud and identity theft.
To combat these attacks, Lei recommends that users first ensure they are on the Do Not Call Registry and re-confirm their entry even if they believe that they previously signed up, as the registry also applies to text messages.
He warned that consumers need to be very sceptical of mobile messages coming from unknown sources and should never click on links in text messages, no matter how realistic they look. "If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the web address/URL. For offer codes, type them directly into the site as well. It is also vital that you do not respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers,” he added.