The Singapore Times reports that a third-party file-sharing system used by Singapore’s largest telco, Singtel, has been hacked and customer information may have been compromised.
The breach occurred on January 20 but, for now, the telco assured that its core operations are not affected. The hack was part of a wider global breach of the File Transfer Appliance (FTA) file-sharing system that recently affected other organisations including New Zealand’s central bank, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the US.
Singtel’s statement stated the company had been informed by a third-party vendor, Accellion, that unidentified hackers had illegally attacked its file-sharing system called FTA. This was a standalone system used to share information internally as well as with external stakeholders. Accellion said that the incident was part of a wider concerted attack against users of their file-sharing system.
The statement went on to say: “We have since suspended all use of the system and activated investigations, working closely with cybersecurity experts and the relevant authorities, including the Cyber Security Agency of Singapore which is providing additional guidance.”
“We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised. Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.
This is an isolated incident involving a standalone third-party system. Our core operations remain unaffected and sound.”
In mid-December, Accellion was made aware of a zero-day vulnerability in its legacy FTA software, and it released a fix within 72 hours. This initial incident was the beginning of a concerted cyberattack on the FTA product that continued into January 2021.
In a statement from February 1 the company stated that FTA was a 20-year-old product nearing end-of-life, and was the target of a sophisticated cyberattack. All FTA customers were promptly notified of the attack on December 23, 2020. At this time, Accellion claims to have patched all known FTA vulnerabilities exploited by the attackers and had added new monitoring and alerting capabilities to flag anomalies associated with those attack vectors.
The US firm said that fewer than 50 customers were affected.
Singtel said it applied an FTA patch from Accellion on December 24 and another one on December 27. On January 23, Accellion noted the December 27 patch was ineffective against a new vulnerability, and Singtel took the product offline.
Accellion put out another patch on January 30, but Singtel said it received an “anomaly alert” when applying it. The vendor said Singtel’s system could have been breached and the telco confirmed this occurred on January 20. “Given the complexity of the investigations, it was only confirmed on February 9 that files were taken,” Singtel added.
The telco said the breach was an isolated incident involving the third-party system, and its core operations remained “unaffected and sound”. The FTA system is used to share information internally within Singtel and externally to other stakeholders.
The telco has suspended use of FTA and is investigating the issue with cybersecurity experts and the authorities, including the Cyber Security Agency of Singapore (CSA).
CSA said it had not received reports from other Singapore organisations on the FTA incident.
The Personal Data Protection Commission said it is investigating the incident.