AXA in Singapore Data Breach – Despite Strict Security Standards

Morey Haber, Chief Technology Officer
September 10th, 2017

AXA Data Breach

The Monetary Authority of Singapore (MAS) was founded in 1971 to oversee various monetary functions associated with financial and banking institutions. Throughout the years, their guidelines have been revised to manage emerging technologies and the evolving threat landscape. The TRM Guidelines are statements of industry best practices to which institutions doing business within Singapore are expected to adhere. The guidance is not legally binding, but is used by MAS in risk assessment audits for a variety of regional organizations. The intent is to prevent a breach by using standardized cybersecurity best practices. As we recently learned, it was insufficient in a recent attack.

AXA Singapore Breach

On 8 September 2017, the life insurance company AXA in Singapore reported a data breach that effected 5,400 customers. Customers were notified by email by their data protection officer Mr. Lelyon. The email stated, “We wish to inform you that because of a recent cyber attack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised.” The breach compromised names, email addresses, phone numbers, and birthdates. In fairness, a pale breach compared to 143 million people compromised in the United States at credit monitoring firm, Equifax. However, this is still very relevant.

The attack shares a similarity to Equifax through a breach of a public website providing access through a “Health Portal.” It is the second time in one week a significant breach has occurred via one of the oldest attack vectors, a public website housing sensitive information.

Investigation and Remediation

To that end, The Monetary Authority of Singapore (MAS) has request AXA to initiate a comprehensive review of its information technology security and identify vulnerabilities that require remediation. This therefore poses a few more questions:

  • Was the web application flaw known? Was it a zero day?
  • Are web application assessments being conducted across the Health Portal as a part of the development and production deployment of the solution?
  • How was the breach detected?

The TRM requires assessments and best practices for development as a part of its guidelines. Clearly, there was a misstep and something other organizations can learn from.

In the most recent statements from AXA, the vulnerability has been corrected and the Health Portal is operating correctly.

Lessons Learned

The Singapore Cyber Security Agency (CSA) said the incident is a reminder that any organization that collects and holds customer data are attractive targets for cyber criminals. It should also be a reminder that we can never let our guard down and threat actors will leverage every opportunity to compromise our systems. MAS provides guidelines that we should practice every day. If we forget one step, or do not assess one web application, we can end up in the same position as AXA.

If you are looking for help to cover all the best practices in MAS, or other security standards, please contact BeyondTrust. Our solutions can assist with many of these requirements, including web application assessments from the cloud, to make sure you are not another victim.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.