AXA Singapore BreachOn 8 September 2017, the life insurance company AXA in Singapore reported a data breach that effected 5,400 customers. Customers were notified by email by their data protection officer Mr. Lelyon. The email stated, “We wish to inform you that because of a recent cyber attack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised.” The breach compromised names, email addresses, phone numbers, and birthdates. In fairness, a pale breach compared to 143 million people compromised in the United States at credit monitoring firm, Equifax. However, this is still very relevant. The attack shares a similarity to Equifax through a breach of a public website providing access through a “Health Portal.” It is the second time in one week a significant breach has occurred via one of the oldest attack vectors, a public website housing sensitive information.
Investigation and RemediationTo that end, The Monetary Authority of Singapore (MAS) has request AXA to initiate a comprehensive review of its information technology security and identify vulnerabilities that require remediation. This therefore poses a few more questions:
- Was the web application flaw known? Was it a zero day?
- Are web application assessments being conducted across the Health Portal as a part of the development and production deployment of the solution?
- How was the breach detected?