Just weeks after Optus revealed that the records of 10 million customers had been compromised in a data breach, its parent company, Singtel, is dealing with two of its own data hacks.
Singtel confirmed that a Friday post on a data leak forum contained information obtained from Singtel in a cyber-attack in 2020. It was the same forum where a user last month threatened to release Optus’s stolen data.
In February 2021, Singtel reported that a file transfer application called Accellion FTA it used had a zero-day vulnerability that had been exploited by hackers in late 2020 to obtain Singtel files.
The company suspended the use of the system when it became aware of the breach in February last year, and had been assessing what data had potentially been compromised.
Singtel determined at the time that the personal information of 129,000 customers and 23 businesses had been exposed in the breach.
It determined that data exposed included National Registration Identity care information, name, date of birth, mobile numbers and addresses. For 28 former Singtel staff their bank account details were exposed, and the credit card details of 45 staff of a corporate customer were exposed.
Singtel informed those affected, but the post on the data leak forum is believed to be the first time the data has purportedly been posted online.
Separately, Singtel reported to the Singapore stock exchange on Monday that Dialog, an Australian IT services company which is a subsidiary of a subsidiary of SingTel was also subject of a cyber-attack, in which a third party could have accessed the data of 20 clients and 1,000 current and former employees.
The activity was detected on the company’s servers on 10 September and on Friday 7 October, the company found that a “very small sample” of Dialog’s data, including some employee personal information, had been published on the dark web.
“We are doing our utmost to address the situation and, as a precaution, we are actively engaging with potentially impacted stakeholders to share information, support and advice,” Singtel said.
In the case of both breaches, Optus customer data was not affected, the company said.
It is three weeks since the Optus breach was reported, leading to a push to overhaul cybersecurity and privacy law in Australia, with the government looking at ways to reduce the amount of private information companies hold on citizens.