Singtel’s data breach: What happened, and how can you protect yourself?
Here's why the Singtel database hack occurred and what you can do to protect yourself
Note: This article was first published on 18 Feb 2021.
Singtel’s announcement of their data breach which affected approximately 129,000 customers should be a cause for concern, as identifiable data containing NRIC and a combination of phone number, address, name, and date of birth was part of that leak.
Singtel was alerted by Accellion, a third-party vendor for a file-sharing system, that unidentified hackers have gained access to that file-sharing server which is used to disseminate information within Singtel’s internal systems and external stakeholders.
The hackers used unknown zero-day vulnerability exploit, which Accellion wasn't made aware till much later to follow-up with the necessary fixes. However, it wasn't effective, which allowed the hackers to breach the system and gain access to the information on Singtel's servers.
On 28th Jan 2021, Accellion announced that the file-sharing system will reach its end of life on 30th April 2021, and Singtel addressed the incident in this FAQ, stating that they are currently upgrading or replacing the existing system, while evaluating on their file-sharing protocols to enhance their security.
Straits Times has the full report on the hack and we’ve covered it in more details earlier. While Singtel will be contacting those affected by the breach, here are some immediate steps you can take as these are useful checks you can conduct even if you’re not affected by the breach.
Turn on App-Based Two-Factor Authentication (2FA)
If you haven’t activated 2FA for your email, online shopping, or social media accounts, now is the best time to do so.
Most companies will request that you provide your personal phone number or use an app like Google Authentication or Microsoft Authenticator. Since phone numbers are part of the compromised data, opt to use the authentication apps instead.
And never share your 2FA or One-Time Password (OTP) with anyone, even if they’re someone close to you. There have been reports of WhatsApp account takeovers by bad actors trying to steal more private information like credit card details.
Use A Password Manager
This is more of a precautionary measure; if your passwords are still “123456” or “password”, this is a really good time to look at a password manager that we’ve detailed here.
Basically, a password manager helps you to generate unique and complex passwords, without requiring that you remember them. It should automatically fill up these login details, as long as you’ve installed the password manager app on your phones or computers.
Enable Call and SMS Filtering
We’ve got random calls and SMS from weird numbers before requesting our bank information or our online shipping is stuck in customs, but we know that it’s a scam. If you want to filter out these nuisances, we’ve got you covered.
For iPhone users who are on iOS 12.4 and above, you can download the ScamShield app to filter out unsolicited messages and calls, which we’ve talked about in more detail in this article. Note that it doesn't interface with your messaging apps like WhatsApp, Telegram, etc., so you'll still have to be vigilant on third-party messaging apps.
On Android 6.0 and above, you can turn on caller ID and spam protection in the Settings app. For the filter to work, it does require that the sender’s information be sent to Google for verification.
Check if your email has been breached
Last but not least, you should check if any of emails have been breached. To do this, 1Password created this website that checks with their database to see if your email address has been leaked.
If your email is part of a data breach, head over to the affected website and change your password immediately with a password generator or use a complex phrase instead. And then turn on 2FA!