Skip links

Singaporean telco leaked personal data of over 57,000 customers

Singapore pay YV, internet and mobile phone provider StarHub is in the process of notifying 57,191 customers via email that they are victims of a cyber attack that leaked national identity card numbers, mobile numbers and email addresses.

An August 11th email notifying a customer of the leak was obtained by The Register and reads:

In the email, StarHub explains that there is no current evidence that information has been misused, and that an incident management team assessed the situation. Investigations by digital forensic and cybersecurity experts are ongoing.

StarHub claims credit card and bank account information was not compromised, but has nonetheless offered all affected customers six months of free credit monitoring, as long as they act by September 5. Emails will continue to go out to leak victims until August 20, 2021.

All affected customers were StarHub service subscribers prior to 2007. Incidentally, anyone in Singapore with a paid local pay TV subscription service before 2007 was a StarHub customer as up until that year, it was the only pay-TV operator in the city-state.

The data breach was discovered on July 6 but was not announced until August 6th. StarHub told The Register via email that the company suspects the stolen data file was found within a day of it being uploaded to the third-party web site.

Singapore’s Personal Data Protection Act 2012 (PDPA) sets out the law on data protection in Singapore. It institutes guidelines on how companies secure and store data, and requirements for notifying victims of a breach under their watch. According to one Singapore-based media lawyer The Register spoke to, the PDPA is a serious regulation but is considered less strict than Europe’s GDPR.

The PDPA specifically requires organizations to notify the Personal Data Protection Commission (PDPC) within three days of an assessment if the breach affects more than 500 individuals or is likely to result in significant harm. If significant harm is likely to flow from a leak, the victim also must be notified.

Those contravening the PDPA risk a financial penalty of up to 10 per cent of the organization’s annual local turnover or SG$1 million (US$736,900) – whichever is higher.

Although the time from discovery of the incident on July 6 to announcement of the leak was one month, and the timeline from incident to completion of notifying all victims on August 20th is more than six weeks, StarHub told The Register that the organization is in compliance with the PDPA.

“StarHub notified our affected customers progressively from 6 August 2021, in accordance with Section 26D of Singapore’s Personal Data Protection Act 2012,” StarHub corporate communications assistant VP Cassie Fong told The Reg.

Fong added: “As far as we are aware, this is an isolated incident which involved a data file that contains limited types of information belonging to certain individual customers.

As part of our efforts to rectify the situation, we have investigated and verified the integrity of our network infrastructure. There is no evidence that StarHub’s information systems are compromised.”

StarHub’s advisory for customers details the breach and advises the use of regularly-updated strong passwords that do not include personal information. ®