Supplier partner responsible for Fullerton’s health data breach


Third party risk management, breach notification, governance and risk management

4th major data breach in Singapore this year due to third-party vendors

Soumik Gosh •
28 October 2021

Singapore-based healthcare company Fullerton Health has confirmed that a security breach incident at Agape Connecting People – a provider that helps the company manage patient appointments and reservations – resulted in the data leaking of its customers’ personal information.

See also: Live Chat | Driving Business Growth: The Path to 24/7 Threat Detection and Response

The health major says his own computer systems and databases have not been affected by the breach.

Local journal The times of the straits revealed that 400,000 customer records were listed for sale on a hacking forum for an amount equal to $ 600 in Bitcoin.

The leaked data includes client names, identity numbers, bank account information, employment details and medical history, according to the newspaper, which also said Fullerton Health maintains no card information. credit or password has not been disclosed. The Strait Times notes that the hackers who put the data up for sale said it included information about Singapore citizens’ insurance policies.

According to the company declaration, Fullerton Health was made aware of unauthorized access to Agape’s servers on October 21, after which the company’s IT department conducted a thorough investigation and discovered that an unauthorized person had accessed Agape’s server. Agape. Fullerton then warned the vendor, saying a batch of work files containing customers’ personal data could potentially be exposed, the statement said.

The statement said the healthcare company then filed a police report and notified the Singapore Personal Data Protection Commission. Company Claims to Have Engaged a Leading Team of Digital Forensics and Cybersecurity Experts to Investigate and Conduct a Thorough Review of its Processes and Protocols Related to Data Security and the Use of Third-Party Service Providers .

Agape Connecting People says it is in the process of confirming whether any customers other than Fullerton Health were affected by the security incident. The company says it has taken steps to address the issue to prevent further data compromise and is working with security experts to improve cybersecurity.

Fourth major data breach

Fullerton Health is the fourth Singaporean company to experience a major data breach due to a third-party security breach in 2021.

In February this year, Singapore-based telecommunications service provider Singtel suffered a data breach which resulted in the leak of personal information for 129,000 customers. In its statement, Singtel revealed that a sophisticated attack on its third-party file-sharing provider Accellion FTA was the cause of the data breach.

In March, personal data belonging to 580,000 Singapore Airlines customers was compromised due to a targeted attack on SITA – an air transport IT and communications service provider.

On August 29, an unauthorized data access incident revealed personal data of 79,388 MyRepublic customers. The Singapore-based communications company said a third-party platform that stores MyRepublic’s customer data, including identity verification documents, was breached by hackers.

Recommendations to reduce the risks

Rubaiyyaat Aakbar, IT and cybersecurity manager at a Singapore healthcare company, told Information Security Media Group that while the root cause analysis of each data breach incident will vary, in general, the Testing of controls in third-party services is not robust compared to in-house technology risk management. Another practice that increases third-party risk, he says, is that most companies depend on external audit reports to verify what controls are implemented by third-party vendors.

“If the third-party infrastructure does not include automated threat monitoring or access control and if vendors or contractors are not required to have the same level of security as the organization, it can leave weak access points, ”he says.

Aakbar says third-party service providers should perform additional audits for contractors, properly set shared access control, and review access controls more often to ensure obsolete accounts do not remain active. “CISOs should also extend monitoring of security threats or logs to include third-party infrastructure and any connected systems that have access to sensitive data,” he says.

Mark Fuentes, director of cyber operations and strategic services at Singapore-based security firm Horangi Cyber ​​Security, told ISMG that recent data breaches involving third-party entities came from organizations that were not focused on fundamental cybersecurity controls, such as third party documentation and supply chain.

“When they implement some of these controls, many don’t keep them up to date. This, in addition to ineffective security controls and documentation, makes third-party risk a huge blind spot for organizations, ”he says.

Fuentes recommends that CISOs keep risk registers and track third parties, saying that while it can be a tedious exercise, it is worth it. “These are fundamental controls for the implementation of an effective safety program and should never be overlooked,” he says.

Fuentes suggests that while many businesses use advanced security capabilities, none of this matters if organizations can’t do the basics well. “The basics of cybersecurity are cheap to maintain and expensive when you don’t,” he says.


Comments are closed.