AXA Singapore BreachOn 8 September 2017, the life insurance company AXA in Singapore reported a data breach that effected 5,400 customers. Customers were notified by email by their data protection officer Mr. Lelyon. The email stated, “We wish to inform you that because of a recent cyber attack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised.” The breach compromised names, email addresses, phone numbers, and birthdates. In fairness, a pale breach compared to 143 million people compromised in the United States at credit monitoring firm, Equifax. However, this is still very relevant. The attack shares a similarity to Equifax through a breach of a public website providing access through a “Health Portal.” It is the second time in one week a significant breach has occurred via one of the oldest attack vectors, a public website housing sensitive information.
Investigation and RemediationTo that end, The Monetary Authority of Singapore (MAS) has request AXA to initiate a comprehensive review of its information technology security and identify vulnerabilities that require remediation. This therefore poses a few more questions:
- Was the web application flaw known? Was it a zero day?
- Are web application assessments being conducted across the Health Portal as a part of the development and production deployment of the solution?
- How was the breach detected?
Lessons LearnedThe Singapore Cyber Security Agency (CSA) said the incident is a reminder that any organization that collects and holds customer data are attractive targets for cyber criminals. It should also be a reminder that we can never let our guard down and threat actors will leverage every opportunity to compromise our systems. MAS provides guidelines that we should practice every day. If we forget one step, or do not assess one web application, we can end up in the same position as AXA. If you are looking for help to cover all the best practices in MAS, or other security standards, please contact BeyondTrust. Our solutions can assist with many of these requirements, including web application assessments from the cloud, to make sure you are not another victim.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.