[BreachExchange] AXA data breach affects 5, 400 Singapore customers

[Audrey McNeil]

http://www.straitstimes.com/singapore/axa-data-breach-
affects-5400-singapore-customers

SINGAPORE - The personal data of 5,400 customers of AXA Insurance in
Singapore has been stolen due to a cyber attack.

The life insurance firm sent out an e-mail to most affected customers on
Thursday (Sept 7), notifying them of the data breach. The remaining
affected customers will be notified by Friday (Sept 8).

In the e-mail, AXA's data protection officer Eric Lelyon said: "We wish to
inform you that because of a recent cyber attack, personal data belonging
to about 5,400 of our customers, past and present, on our Health Portal was
compromised."

In particular, their e-mail address, mobile number and date of birth were
exposed.

The firm said that no other personal data - including name, NRIC number,
address, credit card or bank details, health status, claims history or
marital status - was leaked.

When contacted, AXA Singapore chief executive officer Jean Drouffe said the
firm takes customer privacy very seriously and apologised for the breach.
He also assured customers that the firm's Health Portal "is now secure".

He skirted questions on when the cyber attack took place and when the
breach was discovered, but said: "A thorough review of our IT systems is
underway. No financial or health data was compromised."

Mr Drouffe also said that the compromised data, by themselves, will not
result in identity theft.

Customers are, however, advised to be vigilant against phishing, most
commonly via e-mail, to trick victims into disclosing their credentials.

AXA made a police report, and advised customers to do the same if they had
inadvertently disclosed personal data as a result of phishing attempts in
the last few months as it could be connected to the AXA hacking incident.

The Monetary Authority of Singapore (MAS) has asked AXA to initiate a
thorough review of its IT security and to remediate control gaps.

"We understand that AXA has taken steps to address the vulnerability in its
Health Portal.  MAS takes a serious view of this incident and is
investigating the matter,” a MAS spokesman said in a statement on Thursday.

Singapore Cyber Security Agency (CSA) said the incident is a reminder that
companies that collect and hold customer data are an attractive target for
cyber criminals.

"Hence, companies need to make the appropriate risk assessment, prioritise
cybersecurity and adopt proactive measures to better protect themselves
against cyber attacks,” a spokesman said on Thursday.

Mr Gavin Chow, network and security strategist at cyber security solutions
firm Fortinet, said hackers could masquerade as AXA or any commercial
entity to to trick victims to reveal their e-banking username and
passwords, for instance.

This method, known as phishing, can be executed via e-mail, SMS and
WhatsApp - now that hackers have users' e-mail address and mobile number.

Hackers could also trick victims into installing malware into their
computers or mobile phones. When phones are infected by malware, hackers
can steal one-time passwords sent via SMS for making fraudulent
transactions.

"If anyone is using their birth dates as passwords, change it now," said Mr
Chow.

Singapore's privacy commission, the Personal Data Protection Commission,
said it is investigating the breach. "We understand that AXA has addressed
the vulnerability in their system," a Commission spokesman said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170907/4ffbd0bc/attachment.html>