The biggest data breaches in Southeast Asia

For the first time ever, cyber incidents – including data breaches – rank as the most serious business risk globally, according to the Allianz Risk Barometer 2020. Just seven years ago, the same threat held a distant 15^th position in the top menaces list for companies around the world.

Although not all the firms from ASEAN countries included in the report (Indonesia, Malaysia, Philippines and Singapore) consider cyber incidents as their top business risk priority, the region nonetheless mirrors a global trend that has seen a growing awareness of cyber threats in recent years.

Incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions, according to Marek Stanislawski, deputy global head of cyber at Allianz Global Corporate and Specialty (AGCS).

The average organisational cost of a data breach in ASEAN is S$3.6 million (US$2.62 million) and the average number of records per breach is 22,500. Although these figures perform better than the global average (US$3.92 million and 25,575 number of records), they are still reason for concern among CIOs and CISOs in the region, as the Allianz Risk Barometer demonstrates. Even more so since 96 percent of Singaporean businesses reported suffering a data breach between September 2018 and September 2019.

With the aim of encouraging (rather than scaring!) CIOs to step up their data security, below we have compiled a list of the most serious data breach incidents in the ASEAN region during the past years. We have also included expert advice on what to do to prevent them.

Singapore, December 2019: government vendors under attack

2019 ended with sombre news for Singapore’s cybersecurity. Personal data pertaining to 2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) personnel was put at risk and could have been leaked.

ST Logistics, a third-party vendor employed by the government organisations which provides logistic and equipping services, said that the potential breach was a result of a recent series of email phishing activities involving malicious malware sent to its employees’ email accounts. The system affected held full names and NRIC numbers and a combination of contact numbers, email addresses or residential addresses of Mindef and SAF members of staff.

In a different and unrelated attack, the data of 120,000 individuals, including 98,000 SAF servicepeople, was found to have been infected by ransomware in early December. On this occasion, the server affected belonged to another vendor that provides healthcare training to SAF.

Data stored in the affected server included personal information of students and applicants, such as full names, NRIC numbers, dates of birth, home addresses and e-mail addresses.

The investigation of the incident concluded that the breach was a random and opportunistic attack on the server and there was no evidence that the data was copied or exported.

Thailand and Vietnam, March 2019: Toyota suffers a chain of data breaches

In March 2019, Japan’s Toyota Motor Corporation revealed that unauthorised access had been detected on servers at its subsidiaries in Thailand and Vietnam.

On its Thai website, Toyota issued a notice stating that the company was “aware of a possibility that some of Toyota’s entities in Thailand were targeted by a cyberattack and that some of its customer data may have been potentially accessed. While we have no evidence of customer information loss at this moment, details are currently under investigation, and we intend to share further specifics, if any, as soon as details are available.”

A similar notice was published on its Vietnamese website and to date there are no further details as who was the attacker, which personal data might have been breached and how many customers might have been affected. Toyota Vietnam and Toyota Thailand haven’t replied to CIO ASEAN’s request for information.

Philippines, January 2019: Cebuana’s marketing server breached and the mysterious case of the DFA

More than 900,000 clients of Philippine-based pawnshop Cebuana Lhuillier (popularly known as Cebuana) were affected by a data breach at the beginning of 2019. According to the pawnshop and remittance company, the figure represents only 3 percent of its total clientele.

On the official statement released by Cebuana it was revealed that customers’ compromised information included date of birth, addresses and source of income. It also said that transaction details were not compromised and that the company’s main servers remained “safe and protected”.

The breach involved an email server used for marketing and although attempts to infiltrate one of its servers were detected on January 15, unauthorised downloads went back to August 2018.

2019 didn’t start well for the Philippines, as on top of the Cebuana case, concerns over the security of Filipinos’ passport data were raised after Foreign Secretary Teodoro Locsin claimed that an outsourced company “took all the [citizens’ passport applications] data” when its contract terminated and was not renewed.

However, the Department of Foreign Affairs denied afterwards that a data breach had occurred and said that it had “full control” of passport data belonging to Philippines’ citizens.

Singapore, January 2019: second health data breach in six months

Singapore’s Ministry of Health revealed last January that confidential information belonging to 14,200 people diagnosed with HIV was stolen and leaked online.

The compromised personal data included names, contact details (phone number and address), HIV test results and other medical information of some 5,400 Singaporeans and 8,800 foreigners dating up to January 2013.

The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.

The person behind the breach was Mikhy Farrera Brochez, a 33-year-old US citizen who lived in Singapore between 2008 and 2016. Farrera Brochez was found guilty on several counts, including transmitting threats for extortion and illegally transferring the identification of another person, by a US court and given a sentence of two years in jail in September

Farrera Brochez used to be the partner of Ler Teck Siang, the former head of Singapore’s National Public Health Unit, who was convicted for helping him falsify his medical records to disguise the American’s HIV-positive status to enter the country.

Until 2015, foreigners with HIV were not allowed to visit the island state, even as tourists. Today, any visitor who wants to stay in the country for more than 90 days, including for work, is subject to mandatory medical screening to guarantee that they are not HIV positive.

Singapore, July 2018: the city-state suffers its largest data breach

In summer 2018 Singapore was subject to the largest data breach in its history with 1.5 million patients to SingHealth’s specialist outpatient clinics affected by it, including Prime Minister Lee Hsien Loong and several ministers.

Personal information stolen included names, national registration identity card numbers, addresses, gender and dates of birth. 160,000 patients had details related to outpatient dispensed medicines as well.

During the committee of inquiry (COI) set to investigate into the events and contributing factors leading to the cyber-attack it was established that it took six days since the attack began to be discovered and halted because the integrated health information systems (IHiS) staff initially thought that no data had been stolen. The COI also concluded that IT gaps and staff missteps contributed to incident.

Among the “top priority” recommendations proposed by Solicitor-General Kwek Mean Luck to Singapore’s healthcare institutions to work on were raising awareness of cybersecurity and tighten control of privileged administrator accounts.

Philippines, May 2018: Wendy’s and Jollibee asked to take preventive measures against data breaches

The National Privacy Commission of Philippines (NPC) gave popular fast-food chain Jollibee Foods Corporation (JFC) 10 days in May 2018 to come up with a plan to rehabilitate the vulnerabilities on its website, which could expose the data of millions of customers in the case of a breach.

In addition to this, the NPC also ordered Jollibee to “employ privacy by design” in re-engineering JFC Group’s data infrastructure.

The NPC emitted these cautionary warnings after Wendy’s, another US fast-food chain with operations in the Philippines, was subject to a data breach earlier in the year.

Over 80,000 records, including users’ personal data, were exposed following an infiltration by hackers of Wendy’s Philippines website.

The NPC reported that around 82,150 records of customers and job applicants including names, addresses, passwords, payment method and transaction details were compromised in the leak.

In relation to the case, the NPC issued an order addressed to Wendy’s in Philippines to inform users affected by the data breach. The document gave a 72-hour extension for the fast-food chain company to comply.

“On an analysis of the information exfiltrated, it can be ascertained that the exposure of certain sensitive personal or financial information within the database puts the affected data subjects in harm’s way,” the NPC’s order states.

Thailand, March 2018: True Corp’s data gaffe

In March 2018 security researcher Niall Merrigan revealed that the identity documents of around 45,000 customers of True Corp, Thailand’s second-biggest mobile network and the flagship company of billionaire Dhanin Chearavanont’s Charoen Pokphand Group, had been exposed.

Merrigan discovered the personal details belonging to customers of True Corp’s e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.

The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driving licences and possibly passports.

Merrigan said that True Corp was wrongly assuming that the incident was a hack, but since there was no security on the data bucket, anybody could have found and downloaded the files.

Malaysia, October 2017: Fiasco at the Malaysian Communications and Multimedia Commissions

In what is Malaysia’s darkest data breach episode to date, more than 46 million mobile subscribers’ data was stolen and leaked on to the dark web.

Considering that the state has a population of 32 million, it is believed that the whole country was affected, including foreigners using pre-paid mobile phones.

The leaked information includes mobile numbers, unique phone serial numbers and home addresses.

Personal information from multiple Malaysian public sector and commercial websites was also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning.

Although the Malaysian technology news website Lowyat.net claimed that it reported the breach to the Malaysian Communications and Multimedia Commission (MCMC) after receiving a tip-off, the watchdog asked Lowyat.net to take the news article down.

The tech website was informed that someone was trying to sell huge databases of personal details from at least 12 Malaysian mobile operators for an undisclosed amount of Bitcoin on its forums.

A vast amount of personal data was also stolen from Jobstreet.com and six different official Malaysian organisations, including the Malaysian Housing Loan Applications and the Academy of Medicine Malaysia.

Lowyat.net founder Vijandren Ramadass told The Star that all information it had received on the matter was handed over to the MCMC.

The MCMC only accepted the data breach a day later in a press statement released on Facebook, later confirming that 46.2 million mobile subscribers were affected by the data breach.

Singapore, September 2017: Reputation debacle for AXA Insurance and Uber

In September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company’s online health portal.

Information stolen included email addresses, mobile numbers and date of birth. However, AXA was quick to reassure that no other personal data, including name, postal addresses, financial details, medical records or claims history, had been exposed.

Ironically, in 2014 the insurance corporation had introduced an online risk insurance service in the city-state to protect customers and businesses against cyberattacks.

And in December, just a couple of months after AXA’s episode, Uber disclosed that personal data belonging to 380,000 of its customers in Singapore had been subject to a leak the previous year.

The popular but controversial riding company only released the news after disclosing that the details of 57 million worldwide Uber riders and drivers had been exposed. Not only that, Uber paid US$100,000 to the hacker responsible to destroy the data in an effort to cover up the leak.

This move, which was approved by Uber’s former CEO Travis Kalanick, didn’t work too well for the organisation and the company’s CSO, Joe Sullivan, was sacked shortly after the incident made headlines. However, to this day Uber has avoided paying any significant fines in regard to this episode.

Vietnam, July 2016: trouble in the airports

Airlines around the globe are becoming  attractive targets for hackers, as recent attacks on Singapore Airlines, Malindo Airways, British Airways, and Cathay Pacific show us.

On July 2016, 410,000 clients of Vietnam Airlines saw personal information compromised after the national flag carrier’s website was subject to a cyberattack by self-proclaimed Chinese hackers.

The data stolen, which was then leaked on the internet, belonged to VIP members of the airline’s Lotusmiles scheme. It included names, birthdays and addresses.

The attack, believed to be politically motivated, also affected flight information displays and speaker systems at Tan Son Nhat International Airport and Noi Bai International Airport, the country’s biggest airports.

Intercepted screens showed derogatory messages in Chinese against Vietnam and the Philippines in their territorial row against China in the South China Sea.  

Banks raised concerns in the aftermath of the data breach about the use of the leaked information to steal their clients’ money, as many Lotusmiles members had used bank cards to complete transactions with the airline.

Thailand, March 2016: Expats data compromised

Late on a March Sunday afternoon, social media users noticed that a database containing the names, addresses, job titles and passport numbers of more than 2,000 foreign nationals living in Thailand’s southern province was widely available online.

The website where the information was published carried the Thailand immigration police seal but used a private Thai web address, which is not usually associated with government sites. The data was openly accessible without a password and some users even guessed the administration password, which unsurprisingly was 12345.

The site also featured a digital map pinpointing the expats’ location and their personal details, making it a cause for worry to hundreds of foreigners living in the southern region of the Asian country.

When authorities ordered to take down the website on the following Monday, it was already too late: the site’s existence had gone viral and it had become another stain in the government’s cybersecurity record, which in 2016 had seen the websites of the police, courts and correction departments hacked.  

Thai Netizens, a digital advocacy group, tracked down the website’s owner, a developer called Akram Aleeming, who later posted a statement on Facebook saying the site had mistakenly been made public during testing stages. According to his statement, the immigration police had commissioned the website.

Philippines, March 2016: “The biggest government data breach in history”

On 27 March 2016, 55 million voters in the Philippines were subject to what’s been deemed the “biggest government data breach in history” after the entire database of the Commission on Elections (Comelec) was hacked and leaked.

Behind the attack was a group self-named Anonymous Philippines. Following the breach, a second hacker group, LulzSec Pilipinas, posted the database online and since then it has been widely shared by others.

Anonymous Philippines is a hacktivist community likely to be connected or inspired by the global Anonymous hacker network, which has rallied supporters in over 20 countries globally against government corruption and internet censorship.

Among the data stolen from Comelec, which was distributed on both the dark and clear web, were 228,605 email addresses and 1.3 million passport numbers of overseas Filipino voters and 15.8 million fingerprint records.

Other information contained within the breach included postal addresses, place of birth, height, weight, gender, marital status and parents’ names. Although dates of birth and names were encrypted, the rest of the data wasn’t.

What can CIOs in the region do to prevent data breaches?

Unfortunately, data breaches in ASEAN – and worldwide – are expected to increase not only in the volume of data records but also on the value of the information stolen. Behind these attacks, say A.T. Kearney analysts, are no longer garage hackers but criminal organisations and well-funded nation-state actors with financial or geopolitical motives.

To avoid your organisation ending up on this list (or getting a formal warning, as it was the case of L’Oreal Singapore this month), A. T. Kearney’s Hari Venkataramani (partner, Southeast Asia), Carlos Oliver Mosquera (director, Southeast Asia) and Nikolai Dobberstein (partner, head of communications, media and technology APAC) recommend putting cybersecurity efforts where the risks are, rather than focusing purely on compliance. They also advise CIOs to work with their peers and with government agencies to share region-specific threat intelligence and know-how.

“We advise to promote wider collaboration within and across sectors to share region-specific threat intelligence and cybersecurity know how,” Venkataramani, Mosquera and Dobberstein added. “This can be greatly facilitated by government institutions, so we make a call to both CIOs and CISOs from the private sector and cybersecurity agencies to promote public-private collaboration partnerships.”