The Monetary Authority of Singapore (MAS) was founded in 1971 to oversee various monetary functions associated with financial and banking institutions. Throughout the years, their guidelines have been revised to manage emerging technologies and the evolving threat landscape. The TRM Guidelines are statements of industry best practices to which institutions doing business within Singapore are expected to adhere. The guidance is not legally binding, but is used by MAS in risk assessment audits for a variety of regional organizations. The intent is to prevent a breach by using standardized cybersecurity best practices. As we recently learned, it was insufficient in a recent attack.
AXA Singapore Breach
On 8 September 2017, the life insurance company AXA in Singapore reported a data breach that effected 5,400 customers. Customers were notified by email by their data protection officer Mr. Lelyon. The email stated, “We wish to inform you that because of a recent cyber attack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised.” The breach compromised names, email addresses, phone numbers, and birthdates. In fairness, a pale breach compared to 143 million people compromised in the United States at credit monitoring firm, Equifax. However, this is still very relevant.
The attack shares a similarity to Equifax through a breach of a public website providing access through a “Health Portal.” It is the second time in one week a significant breach has occurred via one of the oldest attack vectors, a public website housing sensitive information.
Investigation and Remediation
To that end, The Monetary Authority of Singapore (MAS) has request AXA to initiate a comprehensive review of its information technology security and identify vulnerabilities that require remediation. This therefore poses a few more questions:
- Was the web application flaw known? Was it a zero day?
- Are web application assessments being conducted across the Health Portal as a part of the development and production deployment of the solution?
- How was the breach detected?
The TRM requires assessments and best practices for development as a part of its guidelines. Clearly, there was a misstep and something other organizations can learn from.
In the most recent statements from AXA, the vulnerability has been corrected and the Health Portal is operating correctly.
Lessons Learned
The Singapore Cyber Security Agency (CSA) said the incident is a reminder that any organization that collects and holds customer data are attractive targets for cyber criminals. It should also be a reminder that we can never let our guard down and threat actors will leverage every opportunity to compromise our systems. MAS provides guidelines that we should practice every day. If we forget one step, or do not assess one web application, we can end up in the same position as AXA.
If you are looking for help to cover all the best practices in MAS, or other security standards, please contact BeyondTrust. Our solutions can assist with many of these requirements, including web application assessments from the cloud, to make sure you are not another victim.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.