Vendor Partner Responsible for Fullerton Health Data Breach4th Major Singapore Data Breach This Year Due to Third-Party Vendors
Singapore-based healthcare firm Fullerton Health has confirmed that a security breach incident at Agape Connecting People - a vendor that helps the company manage patient appointments and bookings - resulted in the data leak of its customers' personal information.
See Also: Case Study: The Road to Zero Trust
The healthcare major says that its own IT systems and databases have not been affected by the breach.
Local newspaper The Straits Times revealed that 400,000 customer records were put up for sale on a hacking forum for an amount equaling $600 in Bitcoin.
The leaked data includes customers' names, identity numbers, bank account information, employment details and medical history, according to the newspaper, which also said Fullerton Health maintains that no credit card information or passwords were exposed. The Strait Times notes that the hackers who put the data up for sale said it included information on insurance policies of Singapore citizens.
According to the company’s statement, Fullerton Health was informed of unauthorized access to Agape's servers on Oct. 21, after which the company's IT department conducted intensive investigations and found that an unauthorized person had accessed Agape's server. Fullerton then warned the vendor, saying a batch of working files containing customers' personal data could potentially be exposed, the statement says.
The statement says the healthcare firm then filed a police report and notified Singapore's Personal Data Protection Commission. The company says it has engaged a team of leading digital forensic and cybersecurity experts to conduct investigations and is conducting a thorough review of its processes and protocols relating to data security and the use of third-party service providers.
Agape Connecting People says it is in the process of confirming whether any clients other than Fullerton Health have been affected by the security incident. The company states that it has taken steps to address the issue to prevent further compromise of data and is working with security experts to enhance cybersecurity.
Fourth Major Data Leak
Fullerton Health is the fourth Singapore firm to suffer a major data leak due to a third-party security breach in 2021.
In February this year, Singapore telecom service provider Singtel suffered a data breach that resulted in the leak of personal information for 129,000 customers. In its statement, Singtel disclosed that a sophisticated attack on its third-party file-sharing vendor Accellion FTA was the cause of the data breach.
In March, personal data belonging to 580,000 Singapore Airlines customers was compromised due to a targeted attack on SITA - an air transport communications and IT service provider.
On Aug. 29, an unauthorized data access incident exposed the personal data of 79,388 MyRepublic customers. The Singapore-based communications firm said that a third-party platform that stored MyRepublic customer data, including identity verification documents, was breached by hackers.
Recommendations to Reducing Risk
Rubaiyyaat Aakbar, head of IT and cybersecurity at a Singapore healthcare firm, tells Information Security Media Group that while root cause analysis of every data breach incident will vary, in general, the testing of controls in third-party services is not robust compared to in-house technology risk management. Another practice that increases third-party risk, he says, is that most companies depend on external audit reports to verify what controls are implemented by third-party vendors.
"If the third-party infrastructure does not include automated threat monitoring or access control and if vendors or subcontractors are not enforced to have the same level of security as the organization does, it may leave some weak access points," he says.
Aakbar says third-party service providers should conduct additional audits for subcontractors, properly define shared access control and review access controls more often to ensure obsolete accounts do not remain active. "CISOs should also extend security threat or log monitoring to include third-party infrastructure and all connected systems that have access to sensitive data," he says.
Mark Fuentes, director of cyber operations and strategic services at Singapore-based security firm Horangi Cyber Security, tells ISMG that the recent data breaches involving third-party entities stem from organizations failing to focus on foundational cybersecurity controls, such as documentation of third parties and supply chain.
"When they do implement some of these controls, many don't keep them up to date. This, in addition to ineffective security controls and documentation, makes third-party risk a huge blind spot for organizations," he says.
Fuentes recommends that CISOs maintain risk registers and track third parties, saying that while it can be a tedious exercise, it is worth the time and effort. "These are fundamental controls for operating a successful security program and should never be overlooked," he says.
Fuentes suggests that while many companies are using advanced security capabilities, none of that matters if organizations cannot do the basics well. "Cybersecurity basics are cheap to maintain and expensive when you don't," he says.