Customers of Singapore healthcare provider Fullerton Health were recently affected by a ransomware attack after a vendor of the private healthcare group suffered a breach that led to the data of at least 400,000 people – including the insurance policy details of Singaporeans – being stolen and put up for sale.
The data was listed on hacking forums last month for US$600 in Bitcoin – but posts on the data sale have since been taken down.
The unidentified hackers uploaded a sample of the data which included customer names, identity card numbers, information on bank accounts, employers, and medical history, and even the personal details of the customers’ children. A sample document shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines.
Breach was through engaged vendor
The breach was on a server used by Agape Connecting People, a vendor engaged by Fullerton Health to handle their customer bookings, and was discovered by the healthcare service provider shortly before informing Agape.
Both parties have made police reports and the Personal Data Protection Commission in Singapore has been informed with investigations still ongoing.
In response to queries from the media, Fullerton Health had confirmed that its own networks were not compromised and that they are still trying to establish the exact number and identities of those affected.
Commenting on the attack, Steve Turner, analyst at Forrester said that organisations throughout the globe should be increasing the reviews of companies that they contract with to store their customer’s data.
“That review needs to include what types of controls they have implemented to help detect, prevent, and quickly respond to ransomware and other types of attacks where a main motivating factor is exfiltrating data,” said Turner.
“At the end of the day, while the third party that was contracted can be held responsible, it’s the organisation that contracted with them in the first place that will suffer the wrath of upset customers and have their reputation tarnished.”
“You must assume the threat actors will get in, because they eventually will, and stop them quickly and pushing them out of networks becomes essential to keep your customers and partners safe,” said Eric Nagel, General Manager APAC at Cybereason.
“Also, this data breach is a reminder that as consumers our personal information has been stolen many times over and sold on the DarkWeb. It appears that personal banking information, medical records and identity card numbers were stolen and only in time will consumers know if their personal information was used in an identity theft scam or fraud was committed.”