About 62,000 e-mails from the public, businesses and customers of local security firm Certis, some containing NRIC and credit card numbers, may have been accessed by cyber criminals, the company said yesterday.
Those affected include customers of Certis’ safe deposit box service. All the e-mails came from a customer service account that belongs to the company – [email protected]
The Personal Data Protection Commission said it is investigating the matter.
The incident is the second reported recent data breach in a week. On Monday, it was reported that the personal data of about 30,000 people who used the services of the National Trades Union Congress’ Employment and Employability Institute may have been exposed to hackers.
Certis said yesterday that it has begun scanning all the e-mails to check for personal data that could have been exposed to crooks. Of the ones already scanned so far, some contain information such as NRIC and credit card numbers.
The firm said it was alerted to the incident after several people received phishing e-mails from what appeared to be an e-mail account from Certis. The e-mails were sent between March 16 and 17.
Certis’ IT team concluded that the incident was an isolated one.
“The phishing e-mails did not originate from our customer service e-mail account on the Microsoft Office 365 cloud, and no customer database had been compromised,” the company said.
Microsoft Office 365 is a suite of subscription-based online productivity tools for e-mails, among other things.
But investigations later found that there was unauthorised access to the Certis e-mail account.
“Our IT team took urgent steps to strengthen our authentication processes and scanned affected computers. No further unauthorised access has been detected,” said the company.
The steps include increasing the frequency of password changes and putting in place two-factor authentication.
Investigations found that the e-mails could be part of a wider phishing attack on Microsoft Office 365 e-mail accounts.
Certis is working with cyber-security firms to implement more measures to prevent a similar incident from happening again, and will reinforce cyber-security training for employees.
Certis workers must complete cyber-security training annually, such as a module on how to identify phishing e-mails.
The company made the incident public only now because the complexity of the investigations meant “it has taken time to investigate the nature of the incident and assess the impact on affected individuals”, it said.
As a precaution, Certis is progressively alerting affected individuals who could be at risk.
It has also engaged an identity theft monitoring provider to help alert those affected when any potential misuse of their personal data is detected. This service is provided for a year to them free.
Certis assured its safe deposit box customers that security systems and checks are in place to prevent any unauthorised access to the boxes.
For instance, photo ID verification and dual-key access is required for access to the boxes.
As for the [email protected] e-mail account, Certis said that it is safe to send or receive e-mails from this account, following the steps it has taken.
Apologising for the incident, Mr Ronald Poon, Certis’ chief executive for Singapore, said: “Our e-mail system will undergo further reviews to mitigate vulnerabilities and enhance the protection of our data, and that of our customers… Our operations remain secure and unaffected.”
Dr Stas Protassov, co-founder of cyber-security firm Acronis, said affected people should beware of suspicious e-mails, like those claiming to be from Certis.
“As some credit card details might have been stolen, (people) should also monitor transaction logs carefully in the next few weeks,” he added.
Those with queries and need support can contact Certis at [email protected] or call the company on 6747-2888.
Join ST’s Telegram channel here and get the latest breaking news delivered to you.
Source: Read Full Article