AXA in Singapore Data Breach – Despite Strict Security Standards

The Monetary Authority of Singapore (MAS) was founded in 1971 to oversee various monetary functions associated with financial and banking institutions. Throughout the years, their guidelines have been revised to manage emerging technologies and the evolving threat landscape. The TRM Guidelines are statements of industry best practices to which institutions doing business within Singapore are expected to adhere. The guidance is not legally binding, but is used by MAS in risk assessment audits for a variety of regional organizations. The intent is to prevent a breach by using standardized cybersecurity best practices. As we recently learned, it was insufficient in a recent attack.

AXA Singapore Breach

On 8 September 2017, the life insurance company AXA in Singapore reported a data breach that effected 5,400 customers. Customers were notified by email by their data protection officer Mr. Lelyon. The email stated, “We wish to inform you that because of a recent cyber attack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised.” The breach compromised names, email addresses, phone numbers, and birthdates. In fairness, a pale breach compared to 143 million people compromised in the United States at credit monitoring firm, Equifax. However, this is still very relevant. The attack shares a similarity to Equifax through a breach of a public website providing access through a “Health Portal.” It is the second time in one week a significant breach has occurred via one of the oldest attack vectors, a public website housing sensitive information.

Investigation and Remediation

To that end, The Monetary Authority of Singapore (MAS) has request AXA to initiate a comprehensive review of its information technology security and identify vulnerabilities that require remediation. This therefore poses a few more questions:

• Was the web application flaw known? Was it a zero day?
• Are web application assessments being conducted across the Health Portal as a part of the development and production deployment of the solution?
• How was the breach detected?

The TRM requires assessments and best practices for development as a part of its guidelines. Clearly, there was a misstep and something other organizations can learn from. In the most recent statements from AXA, the vulnerability has been corrected and the Health Portal is operating correctly.

Lessons Learned

The Singapore Cyber Security Agency (CSA) said the incident is a reminder that any organization that collects and holds customer data are attractive targets for cyber criminals. It should also be a reminder that we can never let our guard down and threat actors will leverage every opportunity to compromise our systems. MAS provides guidelines that we should practice every day. If we forget one step, or do not assess one web application, we can end up in the same position as AXA. If you are looking for help to cover all the best practices in MAS, or other security standards, please contact BeyondTrust. Our solutions can assist with many of these requirements, including web application assessments from the cloud, to make sure you are not another victim.